doc-src/Logics/Old_HOL.tex

new-style theory;
proper declarations of various induction rules;

+
−%% $Id$
+
−\chapter{Higher-Order Logic}
+
−\index{higher-order logic|(}
+
−\index{HOL system@{\sc hol} system}
+
−
+
−The theory~\thydx{HOL} implements higher-order logic.  It is based on
+
−Gordon's~{\sc hol} system~\cite{mgordon-hol}, which itself is based on
+
−Church's original paper~\cite{church40}.  Andrews's book~\cite{andrews86} is a
+
−full description of higher-order logic.  Experience with the {\sc hol} system
+
−has demonstrated that higher-order logic is useful for hardware verification;
+
−beyond this, it is widely applicable in many areas of mathematics.  It is
+
−weaker than ZF set theory but for most applications this does not matter.  If
+
−you prefer {\ML} to Lisp, you will probably prefer HOL to~ZF.
+
−
+
−Previous releases of Isabelle included a different version of~HOL, with
+
−explicit type inference rules~\cite{paulson-COLOG}.  This version no longer
+
−exists, but \thydx{ZF} supports a similar style of reasoning.
+
−
+
−HOL has a distinct feel, compared with ZF and CTT.  It identifies object-level
+
−types with meta-level types, taking advantage of Isabelle's built-in type
+
−checker.  It identifies object-level functions with meta-level functions, so
+
−it uses Isabelle's operations for abstraction and application.  There is no
+
−`apply' operator: function applications are written as simply~$f(a)$ rather
+
−than $f{\tt`}a$.
+
−
+
−These identifications allow Isabelle to support HOL particularly nicely, but
+
−they also mean that HOL requires more sophistication from the user --- in
+
−particular, an understanding of Isabelle's type system.  Beginners should work
+
−with {\tt show_types} set to {\tt true}.  Gain experience by working in
+
−first-order logic before attempting to use higher-order logic.  This chapter
+
−assumes familiarity with~FOL.
+
−
+
−
+
−\begin{figure} 
+
−\begin{center}
+
−\begin{tabular}{rrr} 
+
−  \it name      &\it meta-type  & \it description \\ 
+
−  \cdx{Trueprop}& $bool\To prop$                & coercion to $prop$\\
+
−  \cdx{not}     & $bool\To bool$                & negation ($\neg$) \\
+
−  \cdx{True}    & $bool$                        & tautology ($\top$) \\
+
−  \cdx{False}   & $bool$                        & absurdity ($\bot$) \\
+
−  \cdx{if}      & $[bool,\alpha,\alpha]\To\alpha::term$ & conditional \\
+
−  \cdx{Inv}     & $(\alpha\To\beta)\To(\beta\To\alpha)$ & function inversion\\
+
−  \cdx{Let}     & $[\alpha,\alpha\To\beta]\To\beta$ & let binder
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Constants}
+
−
+
−\begin{center}
+
−\index{"@@{\tt\at} symbol}
+
−\index{*"! symbol}\index{*"? symbol}
+
−\index{*"?"! symbol}\index{*"E"X"! symbol}
+
−\begin{tabular}{llrrr} 
+
−  \it symbol &\it name     &\it meta-type & \it description \\
+
−  \tt\at & \cdx{Eps}  & $(\alpha\To bool)\To\alpha::term$ & 
+
−        Hilbert description ($\epsilon$) \\
+
−  {\tt!~} or \sdx{ALL}  & \cdx{All}  & $(\alpha::term\To bool)\To bool$ & 
+
−        universal quantifier ($\forall$) \\
+
−  {\tt?~} or \sdx{EX}   & \cdx{Ex}   & $(\alpha::term\To bool)\To bool$ & 
+
−        existential quantifier ($\exists$) \\
+
−  {\tt?!} or {\tt EX!}  & \cdx{Ex1}  & $(\alpha::term\To bool)\To bool$ & 
+
−        unique existence ($\exists!$)
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Binders} 
+
−
+
−\begin{center}
+
−\index{*"= symbol}
+
−\index{&@{\tt\&} symbol}
+
−\index{*"| symbol}
+
−\index{*"-"-"> symbol}
+
−\begin{tabular}{rrrr} 
+
−  \it symbol    & \it meta-type & \it priority & \it description \\ 
+
−  \sdx{o}       & $[\beta\To\gamma,\alpha\To\beta]\To (\alpha\To\gamma)$ & 
+
−        Right 50 & composition ($\circ$) \\
+
−  \tt =         & $[\alpha::term,\alpha]\To bool$ & Left 50 & equality ($=$) \\
+
−  \tt <         & $[\alpha::ord,\alpha]\To bool$ & Left 50 & less than ($<$) \\
+
−  \tt <=        & $[\alpha::ord,\alpha]\To bool$ & Left 50 & 
+
−                less than or equals ($\leq$)\\
+
−  \tt \&        & $[bool,bool]\To bool$ & Right 35 & conjunction ($\conj$) \\
+
−  \tt |         & $[bool,bool]\To bool$ & Right 30 & disjunction ($\disj$) \\
+
−  \tt -->       & $[bool,bool]\To bool$ & Right 25 & implication ($\imp$)
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Infixes}
+
−\caption{Syntax of {\tt HOL}} \label{hol-constants}
+
−\end{figure}
+
−
+
−
+
−\begin{figure}
+
−\index{*let symbol}
+
−\index{*in symbol}
+
−\dquotes
+
−\[\begin{array}{rclcl}
+
−    term & = & \hbox{expression of class~$term$} \\
+
−         & | & "\at~" id~id^* " . " formula \\
+
−         & | & 
+
−    \multicolumn{3}{l}{"let"~id~"="~term";"\dots";"~id~"="~term~"in"~term}
+
−               \\[2ex]
+
− formula & = & \hbox{expression of type~$bool$} \\
+
−         & | & term " = " term \\
+
−         & | & term " \ttilde= " term \\
+
−         & | & term " < " term \\
+
−         & | & term " <= " term \\
+
−         & | & "\ttilde\ " formula \\
+
−         & | & formula " \& " formula \\
+
−         & | & formula " | " formula \\
+
−         & | & formula " --> " formula \\
+
−         & | & "!~~~" id~id^* " . " formula 
+
−         & | & "ALL~" id~id^* " . " formula \\
+
−         & | & "?~~~" id~id^* " . " formula 
+
−         & | & "EX~~" id~id^* " . " formula \\
+
−         & | & "?!~~" id~id^* " . " formula 
+
−         & | & "EX!~" id~id^* " . " formula
+
−  \end{array}
+
−\]
+
−\caption{Full grammar for HOL} \label{hol-grammar}
+
−\end{figure} 
+
−
+
−
+
−\section{Syntax}
+
−The type class of higher-order terms is called~\cldx{term}.  Type variables
+
−range over this class by default.  The equality symbol and quantifiers are
+
−polymorphic over class {\tt term}.
+
−
+
−Class \cldx{ord} consists of all ordered types; the relations $<$ and
+
−$\leq$ are polymorphic over this class, as are the functions
+
−\cdx{mono}, \cdx{min} and \cdx{max}.  Three other
+
−type classes --- \cldx{plus}, \cldx{minus} and \cldx{times} --- permit
+
−overloading of the operators {\tt+}, {\tt-} and {\tt*}.  In particular,
+
−{\tt-} is overloaded for set difference and subtraction.
+
−\index{*"+ symbol}
+
−\index{*"- symbol}
+
−\index{*"* symbol}
+
−
+
−Figure~\ref{hol-constants} lists the constants (including infixes and
+
−binders), while Fig.\ts\ref{hol-grammar} presents the grammar of
+
−higher-order logic.  Note that $a$\verb|~=|$b$ is translated to
+
−$\neg(a=b)$.
+
−
+
−\begin{warn}
+
−  HOL has no if-and-only-if connective; logical equivalence is expressed
+
−  using equality.  But equality has a high priority, as befitting a
+
−  relation, while if-and-only-if typically has the lowest priority.  Thus,
+
−  $\neg\neg P=P$ abbreviates $\neg\neg (P=P)$ and not $(\neg\neg P)=P$.
+
−  When using $=$ to mean logical equivalence, enclose both operands in
+
−  parentheses.
+
−\end{warn}
+
−
+
−\subsection{Types}\label{HOL-types}
+
−The type of formulae, \tydx{bool}, belongs to class \cldx{term}; thus,
+
−formulae are terms.  The built-in type~\tydx{fun}, which constructs function
+
−types, is overloaded with arity {\tt(term,term)term}.  Thus, $\sigma\To\tau$
+
−belongs to class~{\tt term} if $\sigma$ and~$\tau$ do, allowing quantification
+
−over functions.
+
−
+
−Types in HOL must be non-empty; otherwise the quantifier rules would be
+
−unsound.  I have commented on this elsewhere~\cite[\S7]{paulson-COLOG}.
+
−
+
−\index{type definitions}
+
−Gordon's {\sc hol} system supports {\bf type definitions}.  A type is
+
−defined by exhibiting an existing type~$\sigma$, a predicate~$P::\sigma\To
+
−bool$, and a theorem of the form $\exists x::\sigma.P(x)$.  Thus~$P$
+
−specifies a non-empty subset of~$\sigma$, and the new type denotes this
+
−subset.  New function constants are generated to establish an isomorphism
+
−between the new type and the subset.  If type~$\sigma$ involves type
+
−variables $\alpha@1$, \ldots, $\alpha@n$, then the type definition creates
+
−a type constructor $(\alpha@1,\ldots,\alpha@n)ty$ rather than a particular
+
−type.  Melham~\cite{melham89} discusses type definitions at length, with
+
−examples. 
+
−
+
−Isabelle does not support type definitions at present.  Instead, they are
+
−mimicked by explicit definitions of isomorphism functions.  The definitions
+
−should be supported by theorems of the form $\exists x::\sigma.P(x)$, but
+
−Isabelle cannot enforce this.
+
−
+
−
+
−\subsection{Binders}
+
−Hilbert's {\bf description} operator~$\epsilon x.P[x]$ stands for some~$a$
+
−satisfying~$P[a]$, if such exists.  Since all terms in HOL denote something, a
+
−description is always meaningful, but we do not know its value unless $P[x]$
+
−defines it uniquely.  We may write descriptions as \cdx{Eps}($P$) or use the
+
−syntax \hbox{\tt \at $x$.$P[x]$}.
+
−
+
−Existential quantification is defined by
+
−\[ \exists x.P(x) \;\equiv\; P(\epsilon x.P(x)). \]
+
−The unique existence quantifier, $\exists!x.P[x]$, is defined in terms
+
−of~$\exists$ and~$\forall$.  An Isabelle binder, it admits nested
+
−quantifications.  For instance, $\exists!x y.P(x,y)$ abbreviates
+
−$\exists!x. \exists!y.P(x,y)$; note that this does not mean that there
+
−exists a unique pair $(x,y)$ satisfying~$P(x,y)$.
+
−
+
−\index{*"! symbol}\index{*"? symbol}\index{HOL system@{\sc hol} system}
+
−Quantifiers have two notations.  As in Gordon's {\sc hol} system, HOL
+
−uses~{\tt!}\ and~{\tt?}\ to stand for $\forall$ and $\exists$.  The
+
−existential quantifier must be followed by a space; thus {\tt?x} is an
+
−unknown, while \verb'? x.f(x)=y' is a quantification.  Isabelle's usual
+
−notation for quantifiers, \sdx{ALL} and \sdx{EX}, is also available.  Both
+
−notations are accepted for input.  The {\ML} reference
+
−\ttindexbold{HOL_quantifiers} governs the output notation.  If set to {\tt
+
−  true}, then~{\tt!}\ and~{\tt?}\ are displayed; this is the default.  If set
+
−to {\tt false}, then~{\tt ALL} and~{\tt EX} are displayed.
+
−
+
−All these binders have priority 10. 
+
−
+
−
+
−\subsection{The \sdx{let} and \sdx{case} constructions}
+
−Local abbreviations can be introduced by a {\tt let} construct whose
+
−syntax appears in Fig.\ts\ref{hol-grammar}.  Internally it is translated into
+
−the constant~\cdx{Let}.  It can be expanded by rewriting with its
+
−definition, \tdx{Let_def}.
+
−
+
−HOL also defines the basic syntax
+
−\[\dquotes"case"~e~"of"~c@1~"=>"~e@1~"|" \dots "|"~c@n~"=>"~e@n\] 
+
−as a uniform means of expressing {\tt case} constructs.  Therefore {\tt
+
−  case} and \sdx{of} are reserved words.  However, so far this is mere
+
−syntax and has no logical meaning.  By declaring translations, you can
+
−cause instances of the {\tt case} construct to denote applications of
+
−particular case operators.  The patterns supplied for $c@1$,~\ldots,~$c@n$
+
−distinguish among the different case operators.  For an example, see the
+
−case construct for lists on page~\pageref{hol-list} below.
+
−
+
−
+
−\begin{figure}
+
−\begin{ttbox}\makeatother
+
−\tdx{refl}           t = (t::'a)
+
−\tdx{subst}          [| s=t; P(s) |] ==> P(t::'a)
+
−\tdx{ext}            (!!x::'a. (f(x)::'b) = g(x)) ==> (\%x.f(x)) = (\%x.g(x))
+
−\tdx{impI}           (P ==> Q) ==> P-->Q
+
−\tdx{mp}             [| P-->Q;  P |] ==> Q
+
−\tdx{iff}            (P-->Q) --> (Q-->P) --> (P=Q)
+
−\tdx{selectI}        P(x::'a) ==> P(@x.P(x))
+
−\tdx{True_or_False}  (P=True) | (P=False)
+
−\end{ttbox}
+
−\caption{The {\tt HOL} rules} \label{hol-rules}
+
−\end{figure}
+
−
+
−
+
−\begin{figure}\hfuzz=4pt%suppress "Overfull \hbox" message
+
−\begin{ttbox}\makeatother
+
−\tdx{True_def}   True  == ((\%x::bool.x)=(\%x.x))
+
−\tdx{All_def}    All   == (\%P. P = (\%x.True))
+
−\tdx{Ex_def}     Ex    == (\%P. P(@x.P(x)))
+
−\tdx{False_def}  False == (!P.P)
+
−\tdx{not_def}    not   == (\%P. P-->False)
+
−\tdx{and_def}    op &  == (\%P Q. !R. (P-->Q-->R) --> R)
+
−\tdx{or_def}     op |  == (\%P Q. !R. (P-->R) --> (Q-->R) --> R)
+
−\tdx{Ex1_def}    Ex1   == (\%P. ? x. P(x) & (! y. P(y) --> y=x))
+
−
+
−\tdx{Inv_def}    Inv   == (\%(f::'a=>'b) y. @x. f(x)=y)
+
−\tdx{o_def}      op o  == (\%(f::'b=>'c) g (x::'a). f(g(x)))
+
−\tdx{if_def}     if    == (\%P x y.@z::'a.(P=True --> z=x) & (P=False --> z=y))
+
−\tdx{Let_def}    Let(s,f) == f(s)
+
−\end{ttbox}
+
−\caption{The {\tt HOL} definitions} \label{hol-defs}
+
−\end{figure}
+
−
+
−
+
−\section{Rules of inference}
+
−Figure~\ref{hol-rules} shows the inference rules of~HOL, with their~{\ML}
+
−names.  Some of the rules deserve additional comments:
+
−\begin{ttdescription}
+
−\item[\tdx{ext}] expresses extensionality of functions.
+
−\item[\tdx{iff}] asserts that logically equivalent formulae are
+
−  equal.
+
−\item[\tdx{selectI}] gives the defining property of the Hilbert
+
−  $\epsilon$-operator.  It is a form of the Axiom of Choice.  The derived rule
+
−  \tdx{select_equality} (see below) is often easier to use.
+
−\item[\tdx{True_or_False}] makes the logic classical.\footnote{In
+
−    fact, the $\epsilon$-operator already makes the logic classical, as
+
−    shown by Diaconescu; see Paulson~\cite{paulson-COLOG} for details.}
+
−\end{ttdescription}
+
−
+
−HOL follows standard practice in higher-order logic: only a few connectives
+
−are taken as primitive, with the remainder defined obscurely
+
−(Fig.\ts\ref{hol-defs}).  Gordon's {\sc hol} system expresses the
+
−corresponding definitions \cite[page~270]{mgordon-hol} using
+
−object-equality~({\tt=}), which is possible because equality in higher-order
+
−logic may equate formulae and even functions over formulae.  But theory~HOL,
+
−like all other Isabelle theories, uses meta-equality~({\tt==}) for
+
−definitions.
+
−
+
−Some of the rules mention type variables; for
+
−example, {\tt refl} mentions the type variable~{\tt'a}.  This allows you to
+
−instantiate type variables explicitly by calling {\tt res_inst_tac}.  By
+
−default, explicit type variables have class \cldx{term}.
+
−
+
−Include type constraints whenever you state a polymorphic goal.  Type
+
−inference may otherwise make the goal more polymorphic than you intended,
+
−with confusing results.
+
−
+
−\begin{warn}
+
−  If resolution fails for no obvious reason, try setting
+
−  \ttindex{show_types} to {\tt true}, causing Isabelle to display types of
+
−  terms.  Possibly set \ttindex{show_sorts} to {\tt true} as well, causing
+
−  Isabelle to display sorts.
+
−
+
−  \index{unification!incompleteness of}
+
−  Where function types are involved, Isabelle's unification code does not
+
−  guarantee to find instantiations for type variables automatically.  Be
+
−  prepared to use \ttindex{res_inst_tac} instead of {\tt resolve_tac},
+
−  possibly instantiating type variables.  Setting
+
−  \ttindex{Unify.trace_types} to {\tt true} causes Isabelle to report
+
−  omitted search paths during unification.\index{tracing!of unification}
+
−\end{warn}
+
−
+
−
+
−\begin{figure}
+
−\begin{ttbox}
+
−\tdx{sym}         s=t ==> t=s
+
−\tdx{trans}       [| r=s; s=t |] ==> r=t
+
−\tdx{ssubst}      [| t=s; P(s) |] ==> P(t::'a)
+
−\tdx{box_equals}  [| a=b;  a=c;  b=d |] ==> c=d  
+
−\tdx{arg_cong}    x=y ==> f(x)=f(y)
+
−\tdx{fun_cong}    f=g ==> f(x)=g(x)
+
−\subcaption{Equality}
+
−
+
−\tdx{TrueI}       True 
+
−\tdx{FalseE}      False ==> P
+
−
+
−\tdx{conjI}       [| P; Q |] ==> P&Q
+
−\tdx{conjunct1}   [| P&Q |] ==> P
+
−\tdx{conjunct2}   [| P&Q |] ==> Q 
+
−\tdx{conjE}       [| P&Q;  [| P; Q |] ==> R |] ==> R
+
−
+
−\tdx{disjI1}      P ==> P|Q
+
−\tdx{disjI2}      Q ==> P|Q
+
−\tdx{disjE}       [| P | Q; P ==> R; Q ==> R |] ==> R
+
−
+
−\tdx{notI}        (P ==> False) ==> ~ P
+
−\tdx{notE}        [| ~ P;  P |] ==> R
+
−\tdx{impE}        [| P-->Q;  P;  Q ==> R |] ==> R
+
−\subcaption{Propositional logic}
+
−
+
−\tdx{iffI}        [| P ==> Q;  Q ==> P |] ==> P=Q
+
−\tdx{iffD1}       [| P=Q; P |] ==> Q
+
−\tdx{iffD2}       [| P=Q; Q |] ==> P
+
−\tdx{iffE}        [| P=Q; [| P --> Q; Q --> P |] ==> R |] ==> R
+
−
+
−\tdx{eqTrueI}     P ==> P=True 
+
−\tdx{eqTrueE}     P=True ==> P 
+
−\subcaption{Logical equivalence}
+
−
+
−\end{ttbox}
+
−\caption{Derived rules for HOL} \label{hol-lemmas1}
+
−\end{figure}
+
−
+
−
+
−\begin{figure}
+
−\begin{ttbox}\makeatother
+
−\tdx{allI}      (!!x::'a. P(x)) ==> !x. P(x)
+
−\tdx{spec}      !x::'a.P(x) ==> P(x)
+
−\tdx{allE}      [| !x.P(x);  P(x) ==> R |] ==> R
+
−\tdx{all_dupE}  [| !x.P(x);  [| P(x); !x.P(x) |] ==> R |] ==> R
+
−
+
−\tdx{exI}       P(x) ==> ? x::'a.P(x)
+
−\tdx{exE}       [| ? x::'a.P(x); !!x. P(x) ==> Q |] ==> Q
+
−
+
−\tdx{ex1I}      [| P(a);  !!x. P(x) ==> x=a |] ==> ?! x. P(x)
+
−\tdx{ex1E}      [| ?! x.P(x);  !!x. [| P(x);  ! y. P(y) --> y=x |] ==> R 
+
−          |] ==> R
+
−
+
−\tdx{select_equality} [| P(a);  !!x. P(x) ==> x=a |] ==> (@x.P(x)) = a
+
−\subcaption{Quantifiers and descriptions}
+
−
+
−\tdx{ccontr}          (~P ==> False) ==> P
+
−\tdx{classical}       (~P ==> P) ==> P
+
−\tdx{excluded_middle} ~P | P
+
−
+
−\tdx{disjCI}          (~Q ==> P) ==> P|Q
+
−\tdx{exCI}            (! x. ~ P(x) ==> P(a)) ==> ? x.P(x)
+
−\tdx{impCE}           [| P-->Q; ~ P ==> R; Q ==> R |] ==> R
+
−\tdx{iffCE}           [| P=Q;  [| P;Q |] ==> R;  [| ~P; ~Q |] ==> R |] ==> R
+
−\tdx{notnotD}         ~~P ==> P
+
−\tdx{swap}            ~P ==> (~Q ==> P) ==> Q
+
−\subcaption{Classical logic}
+
−
+
−\tdx{if_True}         if(True,x,y) = x
+
−\tdx{if_False}        if(False,x,y) = y
+
−\tdx{if_P}            P ==> if(P,x,y) = x
+
−\tdx{if_not_P}        ~ P ==> if(P,x,y) = y
+
−\tdx{expand_if}       P(if(Q,x,y)) = ((Q --> P(x)) & (~Q --> P(y)))
+
−\subcaption{Conditionals}
+
−\end{ttbox}
+
−\caption{More derived rules} \label{hol-lemmas2}
+
−\end{figure}
+
−
+
−
+
−Some derived rules are shown in Figures~\ref{hol-lemmas1}
+
−and~\ref{hol-lemmas2}, with their {\ML} names.  These include natural rules
+
−for the logical connectives, as well as sequent-style elimination rules for
+
−conjunctions, implications, and universal quantifiers.  
+
−
+
−Note the equality rules: \tdx{ssubst} performs substitution in
+
−backward proofs, while \tdx{box_equals} supports reasoning by
+
−simplifying both sides of an equation.
+
−
+
−
+
−\begin{figure} 
+
−\begin{center}
+
−\begin{tabular}{rrr} 
+
−  \it name      &\it meta-type  & \it description \\ 
+
−\index{{}@\verb'{}' symbol}
+
−  \verb|{}|     & $\alpha\,set$         & the empty set \\
+
−  \cdx{insert}  & $[\alpha,\alpha\,set]\To \alpha\,set$
+
−        & insertion of element \\
+
−  \cdx{Collect} & $(\alpha\To bool)\To\alpha\,set$
+
−        & comprehension \\
+
−  \cdx{Compl}   & $(\alpha\,set)\To\alpha\,set$
+
−        & complement \\
+
−  \cdx{INTER} & $[\alpha\,set,\alpha\To\beta\,set]\To\beta\,set$
+
−        & intersection over a set\\
+
−  \cdx{UNION} & $[\alpha\,set,\alpha\To\beta\,set]\To\beta\,set$
+
−        & union over a set\\
+
−  \cdx{Inter} & $(\alpha\,set)set\To\alpha\,set$
+
−        &set of sets intersection \\
+
−  \cdx{Union} & $(\alpha\,set)set\To\alpha\,set$
+
−        &set of sets union \\
+
−  \cdx{Pow}   & $\alpha\,set \To (\alpha\,set)set$
+
−        & powerset \\[1ex]
+
−  \cdx{range}   & $(\alpha\To\beta )\To\beta\,set$
+
−        & range of a function \\[1ex]
+
−  \cdx{Ball}~~\cdx{Bex} & $[\alpha\,set,\alpha\To bool]\To bool$
+
−        & bounded quantifiers \\
+
−  \cdx{mono}    & $(\alpha\,set\To\beta\,set)\To bool$
+
−        & monotonicity \\
+
−  \cdx{inj}~~\cdx{surj}& $(\alpha\To\beta )\To bool$
+
−        & injective/surjective \\
+
−  \cdx{inj_onto}        & $[\alpha\To\beta ,\alpha\,set]\To bool$
+
−        & injective over subset
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Constants}
+
−
+
−\begin{center}
+
−\begin{tabular}{llrrr} 
+
−  \it symbol &\it name     &\it meta-type & \it priority & \it description \\
+
−  \sdx{INT}  & \cdx{INTER1}  & $(\alpha\To\beta\,set)\To\beta\,set$ & 10 & 
+
−        intersection over a type\\
+
−  \sdx{UN}  & \cdx{UNION1}  & $(\alpha\To\beta\,set)\To\beta\,set$ & 10 & 
+
−        union over a type
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Binders} 
+
−
+
−\begin{center}
+
−\index{*"`"` symbol}
+
−\index{*": symbol}
+
−\index{*"<"= symbol}
+
−\begin{tabular}{rrrr} 
+
−  \it symbol    & \it meta-type & \it priority & \it description \\ 
+
−  \tt ``        & $[\alpha\To\beta ,\alpha\,set]\To  (\beta\,set)$
+
−        & Left 90 & image \\
+
−  \sdx{Int}     & $[\alpha\,set,\alpha\,set]\To\alpha\,set$
+
−        & Left 70 & intersection ($\inter$) \\
+
−  \sdx{Un}      & $[\alpha\,set,\alpha\,set]\To\alpha\,set$
+
−        & Left 65 & union ($\union$) \\
+
−  \tt:          & $[\alpha ,\alpha\,set]\To bool$       
+
−        & Left 50 & membership ($\in$) \\
+
−  \tt <=        & $[\alpha\,set,\alpha\,set]\To bool$
+
−        & Left 50 & subset ($\subseteq$) 
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Infixes}
+
−\caption{Syntax of the theory {\tt Set}} \label{hol-set-syntax}
+
−\end{figure} 
+
−
+
−
+
−\begin{figure} 
+
−\begin{center} \tt\frenchspacing
+
−\index{*"! symbol}
+
−\begin{tabular}{rrr} 
+
−  \it external          & \it internal  & \it description \\ 
+
−  $a$ \ttilde: $b$      & \ttilde($a$ : $b$)    & \rm non-membership\\
+
−  \{$a@1$, $\ldots$\}  &  insert($a@1$, $\ldots$\{\}) & \rm finite set \\
+
−  \{$x$.$P[x]$\}        &  Collect($\lambda x.P[x]$) &
+
−        \rm comprehension \\
+
−  \sdx{INT} $x$:$A$.$B[x]$      & INTER($A$,$\lambda x.B[x]$) &
+
−        \rm intersection \\
+
−  \sdx{UN}{\tt\ }  $x$:$A$.$B[x]$      & UNION($A$,$\lambda x.B[x]$) &
+
−        \rm union \\
+
−  \tt ! $x$:$A$.$P[x]$ or \sdx{ALL} $x$:$A$.$P[x]$ & 
+
−        Ball($A$,$\lambda x.P[x]$) & 
+
−        \rm bounded $\forall$ \\
+
−  \sdx{?} $x$:$A$.$P[x]$ or \sdx{EX}{\tt\ } $x$:$A$.$P[x]$ & 
+
−        Bex($A$,$\lambda x.P[x]$) & \rm bounded $\exists$
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Translations}
+
−
+
−\dquotes
+
−\[\begin{array}{rclcl}
+
−    term & = & \hbox{other terms\ldots} \\
+
−         & | & "\{\}" \\
+
−         & | & "\{ " term\; ("," term)^* " \}" \\
+
−         & | & "\{ " id " . " formula " \}" \\
+
−         & | & term " `` " term \\
+
−         & | & term " Int " term \\
+
−         & | & term " Un " term \\
+
−         & | & "INT~~"  id ":" term " . " term \\
+
−         & | & "UN~~~"  id ":" term " . " term \\
+
−         & | & "INT~~"  id~id^* " . " term \\
+
−         & | & "UN~~~"  id~id^* " . " term \\[2ex]
+
− formula & = & \hbox{other formulae\ldots} \\
+
−         & | & term " : " term \\
+
−         & | & term " \ttilde: " term \\
+
−         & | & term " <= " term \\
+
−         & | & "!~" id ":" term " . " formula 
+
−         & | & "ALL " id ":" term " . " formula \\
+
−         & | & "?~" id ":" term " . " formula 
+
−         & | & "EX~~" id ":" term " . " formula
+
−  \end{array}
+
−\]
+
−\subcaption{Full Grammar}
+
−\caption{Syntax of the theory {\tt Set} (continued)} \label{hol-set-syntax2}
+
−\end{figure} 
+
−
+
−
+
−\section{A formulation of set theory}
+
−Historically, higher-order logic gives a foundation for Russell and
+
−Whitehead's theory of classes.  Let us use modern terminology and call them
+
−{\bf sets}, but note that these sets are distinct from those of ZF set theory,
+
−and behave more like ZF classes.
+
−\begin{itemize}
+
−\item
+
−Sets are given by predicates over some type~$\sigma$.  Types serve to
+
−define universes for sets, but type checking is still significant.
+
−\item
+
−There is a universal set (for each type).  Thus, sets have complements, and
+
−may be defined by absolute comprehension.
+
−\item
+
−Although sets may contain other sets as elements, the containing set must
+
−have a more complex type.
+
−\end{itemize}
+
−Finite unions and intersections have the same behaviour in HOL as they do
+
−in~ZF.  In HOL the intersection of the empty set is well-defined, denoting the
+
−universal set for the given type.
+
−
+
−
+
−\subsection{Syntax of set theory}\index{*set type}
+
−HOL's set theory is called \thydx{Set}.  The type $\alpha\,set$ is essentially
+
−the same as $\alpha\To bool$.  The new type is defined for clarity and to
+
−avoid complications involving function types in unification.  Since Isabelle
+
−does not support type definitions (as mentioned in \S\ref{HOL-types}), the
+
−isomorphisms between the two types are declared explicitly.  Here they are
+
−natural: {\tt Collect} maps $\alpha\To bool$ to $\alpha\,set$, while \hbox{\tt
+
−  op :} maps in the other direction (ignoring argument order).
+
−
+
−Figure~\ref{hol-set-syntax} lists the constants, infixes, and syntax
+
−translations.  Figure~\ref{hol-set-syntax2} presents the grammar of the new
+
−constructs.  Infix operators include union and intersection ($A\union B$
+
−and $A\inter B$), the subset and membership relations, and the image
+
−operator~{\tt``}\@.  Note that $a$\verb|~:|$b$ is translated to
+
−$\neg(a\in b)$.  
+
−
+
−The {\tt\{\ldots\}} notation abbreviates finite sets constructed in the
+
−obvious manner using~{\tt insert} and~$\{\}$:
+
−\begin{eqnarray*}
+
−  \{a@1, \ldots, a@n\}  & \equiv &  
+
−  {\tt insert}(a@1,\ldots,{\tt insert}(a@n,\{\}))
+
−\end{eqnarray*}
+
−
+
−The set \hbox{\tt\{$x$.$P[x]$\}} consists of all $x$ (of suitable type) that
+
−satisfy~$P[x]$, where $P[x]$ is a formula that may contain free occurrences
+
−of~$x$.  This syntax expands to \cdx{Collect}$(\lambda x.P[x])$.  It defines
+
−sets by absolute comprehension, which is impossible in~ZF; the type of~$x$
+
−implicitly restricts the comprehension.
+
−
+
−The set theory defines two {\bf bounded quantifiers}:
+
−\begin{eqnarray*}
+
−   \forall x\in A.P[x] &\hbox{abbreviates}& \forall x. x\in A\imp P[x] \\
+
−   \exists x\in A.P[x] &\hbox{abbreviates}& \exists x. x\in A\conj P[x]
+
−\end{eqnarray*}
+
−The constants~\cdx{Ball} and~\cdx{Bex} are defined
+
−accordingly.  Instead of {\tt Ball($A$,$P$)} and {\tt Bex($A$,$P$)} we may
+
−write\index{*"! symbol}\index{*"? symbol}
+
−\index{*ALL symbol}\index{*EX symbol} 
+
−%
+
−\hbox{\tt !~$x$:$A$.$P[x]$} and \hbox{\tt ?~$x$:$A$.$P[x]$}.  Isabelle's
+
−usual quantifier symbols, \sdx{ALL} and \sdx{EX}, are also accepted
+
−for input.  As with the primitive quantifiers, the {\ML} reference
+
−\ttindex{HOL_quantifiers} specifies which notation to use for output.
+
−
+
−Unions and intersections over sets, namely $\bigcup@{x\in A}B[x]$ and
+
−$\bigcap@{x\in A}B[x]$, are written 
+
−\sdx{UN}~\hbox{\tt$x$:$A$.$B[x]$} and
+
−\sdx{INT}~\hbox{\tt$x$:$A$.$B[x]$}.  
+
−
+
−Unions and intersections over types, namely $\bigcup@x B[x]$ and $\bigcap@x
+
−B[x]$, are written \sdx{UN}~\hbox{\tt$x$.$B[x]$} and
+
−\sdx{INT}~\hbox{\tt$x$.$B[x]$}.  They are equivalent to the previous
+
−union and intersection operators when $A$ is the universal set.
+
−
+
−The operators $\bigcup A$ and $\bigcap A$ act upon sets of sets.  They are
+
−not binders, but are equal to $\bigcup@{x\in A}x$ and $\bigcap@{x\in A}x$,
+
−respectively.
+
−
+
−
+
−\begin{figure} \underscoreon
+
−\begin{ttbox}
+
−\tdx{mem_Collect_eq}    (a : \{x.P(x)\}) = P(a)
+
−\tdx{Collect_mem_eq}    \{x.x:A\} = A
+
−
+
−\tdx{empty_def}         \{\}          == \{x.False\}
+
−\tdx{insert_def}        insert(a,B) == \{x.x=a\} Un B
+
−\tdx{Ball_def}          Ball(A,P)   == ! x. x:A --> P(x)
+
−\tdx{Bex_def}           Bex(A,P)    == ? x. x:A & P(x)
+
−\tdx{subset_def}        A <= B      == ! x:A. x:B
+
−\tdx{Un_def}            A Un B      == \{x.x:A | x:B\}
+
−\tdx{Int_def}           A Int B     == \{x.x:A & x:B\}
+
−\tdx{set_diff_def}      A - B       == \{x.x:A & x~:B\}
+
−\tdx{Compl_def}         Compl(A)    == \{x. ~ x:A\}
+
−\tdx{INTER_def}         INTER(A,B)  == \{y. ! x:A. y: B(x)\}
+
−\tdx{UNION_def}         UNION(A,B)  == \{y. ? x:A. y: B(x)\}
+
−\tdx{INTER1_def}        INTER1(B)   == INTER(\{x.True\}, B)
+
−\tdx{UNION1_def}        UNION1(B)   == UNION(\{x.True\}, B)
+
−\tdx{Inter_def}         Inter(S)    == (INT x:S. x)
+
−\tdx{Union_def}         Union(S)    == (UN  x:S. x)
+
−\tdx{Pow_def}           Pow(A)      == \{B. B <= A\}
+
−\tdx{image_def}         f``A        == \{y. ? x:A. y=f(x)\}
+
−\tdx{range_def}         range(f)    == \{y. ? x. y=f(x)\}
+
−\tdx{mono_def}          mono(f)     == !A B. A <= B --> f(A) <= f(B)
+
−\tdx{inj_def}           inj(f)      == ! x y. f(x)=f(y) --> x=y
+
−\tdx{surj_def}          surj(f)     == ! y. ? x. y=f(x)
+
−\tdx{inj_onto_def}      inj_onto(f,A) == !x:A. !y:A. f(x)=f(y) --> x=y
+
−\end{ttbox}
+
−\caption{Rules of the theory {\tt Set}} \label{hol-set-rules}
+
−\end{figure}
+
−
+
−
+
−\begin{figure} \underscoreon
+
−\begin{ttbox}
+
−\tdx{CollectI}        [| P(a) |] ==> a : \{x.P(x)\}
+
−\tdx{CollectD}        [| a : \{x.P(x)\} |] ==> P(a)
+
−\tdx{CollectE}        [| a : \{x.P(x)\};  P(a) ==> W |] ==> W
+
−
+
−\tdx{ballI}           [| !!x. x:A ==> P(x) |] ==> ! x:A. P(x)
+
−\tdx{bspec}           [| ! x:A. P(x);  x:A |] ==> P(x)
+
−\tdx{ballE}           [| ! x:A. P(x);  P(x) ==> Q;  ~ x:A ==> Q |] ==> Q
+
−
+
−\tdx{bexI}            [| P(x);  x:A |] ==> ? x:A. P(x)
+
−\tdx{bexCI}           [| ! x:A. ~ P(x) ==> P(a);  a:A |] ==> ? x:A.P(x)
+
−\tdx{bexE}            [| ? x:A. P(x);  !!x. [| x:A; P(x) |] ==> Q  |] ==> Q
+
−\subcaption{Comprehension and Bounded quantifiers}
+
−
+
−\tdx{subsetI}         (!!x.x:A ==> x:B) ==> A <= B
+
−\tdx{subsetD}         [| A <= B;  c:A |] ==> c:B
+
−\tdx{subsetCE}        [| A <= B;  ~ (c:A) ==> P;  c:B ==> P |] ==> P
+
−
+
−\tdx{subset_refl}     A <= A
+
−\tdx{subset_trans}    [| A<=B;  B<=C |] ==> A<=C
+
−
+
−\tdx{equalityI}       [| A <= B;  B <= A |] ==> A = B
+
−\tdx{equalityD1}      A = B ==> A<=B
+
−\tdx{equalityD2}      A = B ==> B<=A
+
−\tdx{equalityE}       [| A = B;  [| A<=B; B<=A |] ==> P |]  ==>  P
+
−
+
−\tdx{equalityCE}      [| A = B;  [| c:A; c:B |] ==> P;  
+
−                           [| ~ c:A; ~ c:B |] ==> P 
+
−                |]  ==>  P
+
−\subcaption{The subset and equality relations}
+
−\end{ttbox}
+
−\caption{Derived rules for set theory} \label{hol-set1}
+
−\end{figure}
+
−
+
−
+
−\begin{figure} \underscoreon
+
−\begin{ttbox}
+
−\tdx{emptyE}   a : \{\} ==> P
+
−
+
−\tdx{insertI1} a : insert(a,B)
+
−\tdx{insertI2} a : B ==> a : insert(b,B)
+
−\tdx{insertE}  [| a : insert(b,A);  a=b ==> P;  a:A ==> P |] ==> P
+
−
+
−\tdx{ComplI}   [| c:A ==> False |] ==> c : Compl(A)
+
−\tdx{ComplD}   [| c : Compl(A) |] ==> ~ c:A
+
−
+
−\tdx{UnI1}     c:A ==> c : A Un B
+
−\tdx{UnI2}     c:B ==> c : A Un B
+
−\tdx{UnCI}     (~c:B ==> c:A) ==> c : A Un B
+
−\tdx{UnE}      [| c : A Un B;  c:A ==> P;  c:B ==> P |] ==> P
+
−
+
−\tdx{IntI}     [| c:A;  c:B |] ==> c : A Int B
+
−\tdx{IntD1}    c : A Int B ==> c:A
+
−\tdx{IntD2}    c : A Int B ==> c:B
+
−\tdx{IntE}     [| c : A Int B;  [| c:A; c:B |] ==> P |] ==> P
+
−
+
−\tdx{UN_I}     [| a:A;  b: B(a) |] ==> b: (UN x:A. B(x))
+
−\tdx{UN_E}     [| b: (UN x:A. B(x));  !!x.[| x:A;  b:B(x) |] ==> R |] ==> R
+
−
+
−\tdx{INT_I}    (!!x. x:A ==> b: B(x)) ==> b : (INT x:A. B(x))
+
−\tdx{INT_D}    [| b: (INT x:A. B(x));  a:A |] ==> b: B(a)
+
−\tdx{INT_E}    [| b: (INT x:A. B(x));  b: B(a) ==> R;  ~ a:A ==> R |] ==> R
+
−
+
−\tdx{UnionI}   [| X:C;  A:X |] ==> A : Union(C)
+
−\tdx{UnionE}   [| A : Union(C);  !!X.[| A:X;  X:C |] ==> R |] ==> R
+
−
+
−\tdx{InterI}   [| !!X. X:C ==> A:X |] ==> A : Inter(C)
+
−\tdx{InterD}   [| A : Inter(C);  X:C |] ==> A:X
+
−\tdx{InterE}   [| A : Inter(C);  A:X ==> R;  ~ X:C ==> R |] ==> R
+
−
+
−\tdx{PowI}     A<=B ==> A: Pow(B)
+
−\tdx{PowD}     A: Pow(B) ==> A<=B
+
−\end{ttbox}
+
−\caption{Further derived rules for set theory} \label{hol-set2}
+
−\end{figure}
+
−
+
−
+
−\subsection{Axioms and rules of set theory}
+
−Figure~\ref{hol-set-rules} presents the rules of theory \thydx{Set}.  The
+
−axioms \tdx{mem_Collect_eq} and \tdx{Collect_mem_eq} assert
+
−that the functions {\tt Collect} and \hbox{\tt op :} are isomorphisms.  Of
+
−course, \hbox{\tt op :} also serves as the membership relation.
+
−
+
−All the other axioms are definitions.  They include the empty set, bounded
+
−quantifiers, unions, intersections, complements and the subset relation.
+
−They also include straightforward properties of functions: image~({\tt``}) and
+
−{\tt range}, and predicates concerning monotonicity, injectiveness and
+
−surjectiveness.  
+
−
+
−The predicate \cdx{inj_onto} is used for simulating type definitions.
+
−The statement ${\tt inj_onto}(f,A)$ asserts that $f$ is injective on the
+
−set~$A$, which specifies a subset of its domain type.  In a type
+
−definition, $f$ is the abstraction function and $A$ is the set of valid
+
−representations; we should not expect $f$ to be injective outside of~$A$.
+
−
+
−\begin{figure} \underscoreon
+
−\begin{ttbox}
+
−\tdx{Inv_f_f}    inj(f) ==> Inv(f,f(x)) = x
+
−\tdx{f_Inv_f}    y : range(f) ==> f(Inv(f,y)) = y
+
−
+
−%\tdx{Inv_injective}
+
−%    [| Inv(f,x)=Inv(f,y); x: range(f);  y: range(f) |] ==> x=y
+
−%
+
−\tdx{imageI}     [| x:A |] ==> f(x) : f``A
+
−\tdx{imageE}     [| b : f``A;  !!x.[| b=f(x);  x:A |] ==> P |] ==> P
+
−
+
−\tdx{rangeI}     f(x) : range(f)
+
−\tdx{rangeE}     [| b : range(f);  !!x.[| b=f(x) |] ==> P |] ==> P
+
−
+
−\tdx{monoI}      [| !!A B. A <= B ==> f(A) <= f(B) |] ==> mono(f)
+
−\tdx{monoD}      [| mono(f);  A <= B |] ==> f(A) <= f(B)
+
−
+
−\tdx{injI}       [| !! x y. f(x) = f(y) ==> x=y |] ==> inj(f)
+
−\tdx{inj_inverseI}              (!!x. g(f(x)) = x) ==> inj(f)
+
−\tdx{injD}       [| inj(f); f(x) = f(y) |] ==> x=y
+
−
+
−\tdx{inj_ontoI}  (!!x y. [| f(x)=f(y); x:A; y:A |] ==> x=y) ==> inj_onto(f,A)
+
−\tdx{inj_ontoD}  [| inj_onto(f,A);  f(x)=f(y);  x:A;  y:A |] ==> x=y
+
−
+
−\tdx{inj_onto_inverseI}
+
−    (!!x. x:A ==> g(f(x)) = x) ==> inj_onto(f,A)
+
−\tdx{inj_onto_contraD}
+
−    [| inj_onto(f,A);  x~=y;  x:A;  y:A |] ==> ~ f(x)=f(y)
+
−\end{ttbox}
+
−\caption{Derived rules involving functions} \label{hol-fun}
+
−\end{figure}
+
−
+
−
+
−\begin{figure} \underscoreon
+
−\begin{ttbox}
+
−\tdx{Union_upper}     B:A ==> B <= Union(A)
+
−\tdx{Union_least}     [| !!X. X:A ==> X<=C |] ==> Union(A) <= C
+
−
+
−\tdx{Inter_lower}     B:A ==> Inter(A) <= B
+
−\tdx{Inter_greatest}  [| !!X. X:A ==> C<=X |] ==> C <= Inter(A)
+
−
+
−\tdx{Un_upper1}       A <= A Un B
+
−\tdx{Un_upper2}       B <= A Un B
+
−\tdx{Un_least}        [| A<=C;  B<=C |] ==> A Un B <= C
+
−
+
−\tdx{Int_lower1}      A Int B <= A
+
−\tdx{Int_lower2}      A Int B <= B
+
−\tdx{Int_greatest}    [| C<=A;  C<=B |] ==> C <= A Int B
+
−\end{ttbox}
+
−\caption{Derived rules involving subsets} \label{hol-subset}
+
−\end{figure}
+
−
+
−
+
−\begin{figure} \underscoreon   \hfuzz=4pt%suppress "Overfull \hbox" message
+
−\begin{ttbox}
+
−\tdx{Int_absorb}        A Int A = A
+
−\tdx{Int_commute}       A Int B = B Int A
+
−\tdx{Int_assoc}         (A Int B) Int C  =  A Int (B Int C)
+
−\tdx{Int_Un_distrib}    (A Un B)  Int C  =  (A Int C) Un (B Int C)
+
−
+
−\tdx{Un_absorb}         A Un A = A
+
−\tdx{Un_commute}        A Un B = B Un A
+
−\tdx{Un_assoc}          (A Un B)  Un C  =  A Un (B Un C)
+
−\tdx{Un_Int_distrib}    (A Int B) Un C  =  (A Un C) Int (B Un C)
+
−
+
−\tdx{Compl_disjoint}    A Int Compl(A) = \{x.False\}
+
−\tdx{Compl_partition}   A Un  Compl(A) = \{x.True\}
+
−\tdx{double_complement} Compl(Compl(A)) = A
+
−\tdx{Compl_Un}          Compl(A Un B)  = Compl(A) Int Compl(B)
+
−\tdx{Compl_Int}         Compl(A Int B) = Compl(A) Un Compl(B)
+
−
+
−\tdx{Union_Un_distrib}  Union(A Un B) = Union(A) Un Union(B)
+
−\tdx{Int_Union}         A Int Union(B) = (UN C:B. A Int C)
+
−\tdx{Un_Union_image}    (UN x:C. A(x) Un B(x)) = Union(A``C) Un Union(B``C)
+
−
+
−\tdx{Inter_Un_distrib}  Inter(A Un B) = Inter(A) Int Inter(B)
+
−\tdx{Un_Inter}          A Un Inter(B) = (INT C:B. A Un C)
+
−\tdx{Int_Inter_image}   (INT x:C. A(x) Int B(x)) = Inter(A``C) Int Inter(B``C)
+
−\end{ttbox}
+
−\caption{Set equalities} \label{hol-equalities}
+
−\end{figure}
+
−
+
−
+
−Figures~\ref{hol-set1} and~\ref{hol-set2} present derived rules.  Most are
+
−obvious and resemble rules of Isabelle's ZF set theory.  Certain rules, such
+
−as \tdx{subsetCE}, \tdx{bexCI} and \tdx{UnCI}, are designed for classical
+
−reasoning; the rules \tdx{subsetD}, \tdx{bexI}, \tdx{Un1} and~\tdx{Un2} are
+
−not strictly necessary but yield more natural proofs.  Similarly,
+
−\tdx{equalityCE} supports classical reasoning about extensionality, after the
+
−fashion of \tdx{iffCE}.  See the file {\tt HOL/Set.ML} for proofs pertaining
+
−to set theory.
+
−
+
−Figure~\ref{hol-fun} presents derived inference rules involving functions.
+
−They also include rules for \cdx{Inv}, which is defined in theory~{\tt
+
−  HOL}; note that ${\tt Inv}(f)$ applies the Axiom of Choice to yield an
+
−inverse of~$f$.  They also include natural deduction rules for the image
+
−and range operators, and for the predicates {\tt inj} and {\tt inj_onto}.
+
−Reasoning about function composition (the operator~\sdx{o}) and the
+
−predicate~\cdx{surj} is done simply by expanding the definitions.  See
+
−the file {\tt HOL/fun.ML} for a complete listing of the derived rules.
+
−
+
−Figure~\ref{hol-subset} presents lattice properties of the subset relation.
+
−Unions form least upper bounds; non-empty intersections form greatest lower
+
−bounds.  Reasoning directly about subsets often yields clearer proofs than
+
−reasoning about the membership relation.  See the file {\tt HOL/subset.ML}.
+
−
+
−Figure~\ref{hol-equalities} presents many common set equalities.  They
+
−include commutative, associative and distributive laws involving unions,
+
−intersections and complements.  The proofs are mostly trivial, using the
+
−classical reasoner; see file {\tt HOL/equalities.ML}.
+
−
+
−
+
−\begin{figure}
+
−\begin{constants}
+
−  \it symbol    & \it meta-type &           & \it description \\ 
+
−  \cdx{Pair}    & $[\alpha,\beta]\To \alpha\times\beta$
+
−        & & ordered pairs $\langle a,b\rangle$ \\
+
−  \cdx{fst}     & $\alpha\times\beta \To \alpha$        & & first projection\\
+
−  \cdx{snd}     & $\alpha\times\beta \To \beta$         & & second projection\\
+
−  \cdx{split}   & $[[\alpha,\beta]\To\gamma, \alpha\times\beta] \To \gamma$ 
+
−        & & generalized projection\\
+
−  \cdx{Sigma}  & 
+
−        $[\alpha\,set, \alpha\To\beta\,set]\To(\alpha\times\beta)set$ &
+
−        & general sum of sets
+
−\end{constants}
+
−\begin{ttbox}\makeatletter
+
−\tdx{fst_def}      fst(p)     == @a. ? b. p = <a,b>
+
−\tdx{snd_def}      snd(p)     == @b. ? a. p = <a,b>
+
−\tdx{split_def}    split(c,p) == c(fst(p),snd(p))
+
−\tdx{Sigma_def}    Sigma(A,B) == UN x:A. UN y:B(x). \{<x,y>\}
+
−
+
−
+
−\tdx{Pair_inject}  [| <a, b> = <a',b'>;  [| a=a';  b=b' |] ==> R |] ==> R
+
−\tdx{fst_conv}     fst(<a,b>) = a
+
−\tdx{snd_conv}     snd(<a,b>) = b
+
−\tdx{split}        split(c, <a,b>) = c(a,b)
+
−
+
−\tdx{surjective_pairing}  p = <fst(p),snd(p)>
+
−
+
−\tdx{SigmaI}       [| a:A;  b:B(a) |] ==> <a,b> : Sigma(A,B)
+
−
+
−\tdx{SigmaE}       [| c: Sigma(A,B);  
+
−                !!x y.[| x:A; y:B(x); c=<x,y> |] ==> P |] ==> P
+
−\end{ttbox}
+
−\caption{Type $\alpha\times\beta$}\label{hol-prod}
+
−\end{figure} 
+
−
+
−
+
−\begin{figure}
+
−\begin{constants}
+
−  \it symbol    & \it meta-type &           & \it description \\ 
+
−  \cdx{Inl}     & $\alpha \To \alpha+\beta$    & & first injection\\
+
−  \cdx{Inr}     & $\beta \To \alpha+\beta$     & & second injection\\
+
−  \cdx{sum_case} & $[\alpha\To\gamma, \beta\To\gamma, \alpha+\beta] \To\gamma$
+
−        & & conditional
+
−\end{constants}
+
−\begin{ttbox}\makeatletter
+
−\tdx{sum_case_def}   sum_case == (\%f g p. @z. (!x. p=Inl(x) --> z=f(x)) &
+
−                                        (!y. p=Inr(y) --> z=g(y)))
+
−
+
−\tdx{Inl_not_Inr}    ~ Inl(a)=Inr(b)
+
−
+
−\tdx{inj_Inl}        inj(Inl)
+
−\tdx{inj_Inr}        inj(Inr)
+
−
+
−\tdx{sumE}           [| !!x::'a. P(Inl(x));  !!y::'b. P(Inr(y)) |] ==> P(s)
+
−
+
−\tdx{sum_case_Inl}   sum_case(f, g, Inl(x)) = f(x)
+
−\tdx{sum_case_Inr}   sum_case(f, g, Inr(x)) = g(x)
+
−
+
−\tdx{surjective_sum} sum_case(\%x::'a. f(Inl(x)), \%y::'b. f(Inr(y)), s) = f(s)
+
−\end{ttbox}
+
−\caption{Type $\alpha+\beta$}\label{hol-sum}
+
−\end{figure}
+
−
+
−
+
−\section{Generic packages and classical reasoning}
+
−HOL instantiates most of Isabelle's generic packages; see {\tt HOL/ROOT.ML}
+
−for details.
+
−\begin{itemize}
+
−\item Because it includes a general substitution rule, HOL instantiates the
+
−  tactic {\tt hyp_subst_tac}, which substitutes for an equality throughout a
+
−  subgoal and its hypotheses.
+
−\item 
+
−It instantiates the simplifier, defining~\ttindexbold{HOL_ss} as the
+
−simplification set for higher-order logic.  Equality~($=$), which also
+
−expresses logical equivalence, may be used for rewriting.  See the file
+
−{\tt HOL/simpdata.ML} for a complete listing of the simplification
+
−rules. 
+
−\item 
+
−It instantiates the classical reasoner, as described below. 
+
−\end{itemize}
+
−HOL derives classical introduction rules for $\disj$ and~$\exists$, as well as
+
−classical elimination rules for~$\imp$ and~$\bimp$, and the swap rule; recall
+
−Fig.\ts\ref{hol-lemmas2} above.
+
−
+
−The classical reasoner is set up as the structure {\tt Classical}.  This
+
−structure is open, so {\ML} identifiers such as {\tt step_tac}, {\tt
+
−  fast_tac}, {\tt best_tac}, etc., refer to it.  HOL defines the following
+
−classical rule sets:
+
−\begin{ttbox} 
+
−prop_cs    : claset
+
−HOL_cs     : claset
+
−set_cs     : claset
+
−\end{ttbox}
+
−\begin{ttdescription}
+
−\item[\ttindexbold{prop_cs}] contains the propositional rules, namely
+
−those for~$\top$, $\bot$, $\conj$, $\disj$, $\neg$, $\imp$ and~$\bimp$,
+
−along with the rule~{\tt refl}.
+
−
+
−\item[\ttindexbold{HOL_cs}] extends {\tt prop_cs} with the safe rules
+
−  {\tt allI} and~{\tt exE} and the unsafe rules {\tt allE}
+
−  and~{\tt exI}, as well as rules for unique existence.  Search using
+
−  this classical set is incomplete: quantified formulae are used at most
+
−  once.
+
−
+
−\item[\ttindexbold{set_cs}] extends {\tt HOL_cs} with rules for the bounded
+
−  quantifiers, subsets, comprehensions, unions and intersections,
+
−  complements, finite sets, images and ranges.
+
−\end{ttdescription}
+
−\noindent
+
−See \iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
+
−        {Chap.\ts\ref{chap:classical}} 
+
−for more discussion of classical proof methods.
+
−
+
−
+
−\section{Types}
+
−The basic higher-order logic is augmented with a tremendous amount of
+
−material, including support for recursive function and type definitions.  A
+
−detailed discussion appears elsewhere~\cite{paulson-coind}.  The simpler
+
−definitions are the same as those used the {\sc hol} system, but my
+
−treatment of recursive types differs from Melham's~\cite{melham89}.  The
+
−present section describes product, sum, natural number and list types.
+
−
+
−\subsection{Product and sum types}\index{*"* type}\index{*"+ type}
+
−Theory \thydx{Prod} defines the product type $\alpha\times\beta$, with
+
−the ordered pair syntax {\tt<$a$,$b$>}.  Theory \thydx{Sum} defines the
+
−sum type $\alpha+\beta$.  These use fairly standard constructions; see
+
−Figs.\ts\ref{hol-prod} and~\ref{hol-sum}.  Because Isabelle does not
+
−support abstract type definitions, the isomorphisms between these types and
+
−their representations are made explicitly.
+
−
+
−Most of the definitions are suppressed, but observe that the projections
+
−and conditionals are defined as descriptions.  Their properties are easily
+
−proved using \tdx{select_equality}.  
+
−
+
−\begin{figure} 
+
−\index{*"< symbol}
+
−\index{*"* symbol}
+
−\index{*div symbol}
+
−\index{*mod symbol}
+
−\index{*"+ symbol}
+
−\index{*"- symbol}
+
−\begin{constants}
+
−  \it symbol    & \it meta-type & \it priority & \it description \\ 
+
−  \cdx{0}       & $nat$         & & zero \\
+
−  \cdx{Suc}     & $nat \To nat$ & & successor function\\
+
−  \cdx{nat_case} & $[\alpha, nat\To\alpha, nat] \To\alpha$
+
−        & & conditional\\
+
−  \cdx{nat_rec} & $[nat, \alpha, [nat, \alpha]\To\alpha] \To \alpha$
+
−        & & primitive recursor\\
+
−  \cdx{pred_nat} & $(nat\times nat) set$ & & predecessor relation\\
+
−  \tt *         & $[nat,nat]\To nat$    &  Left 70      & multiplication \\
+
−  \tt div       & $[nat,nat]\To nat$    &  Left 70      & division\\
+
−  \tt mod       & $[nat,nat]\To nat$    &  Left 70      & modulus\\
+
−  \tt +         & $[nat,nat]\To nat$    &  Left 65      & addition\\
+
−  \tt -         & $[nat,nat]\To nat$    &  Left 65      & subtraction
+
−\end{constants}
+
−\subcaption{Constants and infixes}
+
−
+
−\begin{ttbox}\makeatother
+
−\tdx{nat_case_def}  nat_case == (\%a f n. @z. (n=0 --> z=a) & 
+
−                                       (!x. n=Suc(x) --> z=f(x)))
+
−\tdx{pred_nat_def}  pred_nat == \{p. ? n. p = <n, Suc(n)>\} 
+
−\tdx{less_def}      m<n      == <m,n>:pred_nat^+
+
−\tdx{nat_rec_def}   nat_rec(n,c,d) == 
+
−               wfrec(pred_nat, n, nat_case(\%g.c, \%m g. d(m,g(m))))
+
−
+
−\tdx{add_def}   m+n     == nat_rec(m, n, \%u v.Suc(v))
+
−\tdx{diff_def}  m-n     == nat_rec(n, m, \%u v. nat_rec(v, 0, \%x y.x))
+
−\tdx{mult_def}  m*n     == nat_rec(m, 0, \%u v. n + v)
+
−\tdx{mod_def}   m mod n == wfrec(trancl(pred_nat), m, \%j f. if(j<n,j,f(j-n)))
+
−\tdx{quo_def}   m div n == wfrec(trancl(pred_nat), 
+
−                        m, \%j f. if(j<n,0,Suc(f(j-n))))
+
−\subcaption{Definitions}
+
−\end{ttbox}
+
−\caption{Defining {\tt nat}, the type of natural numbers} \label{hol-nat1}
+
−\end{figure}
+
−
+
−
+
−\begin{figure} \underscoreon
+
−\begin{ttbox}
+
−\tdx{nat_induct}     [| P(0); !!k. [| P(k) |] ==> P(Suc(k)) |]  ==> P(n)
+
−
+
−\tdx{Suc_not_Zero}   Suc(m) ~= 0
+
−\tdx{inj_Suc}        inj(Suc)
+
−\tdx{n_not_Suc_n}    n~=Suc(n)
+
−\subcaption{Basic properties}
+
−
+
−\tdx{pred_natI}      <n, Suc(n)> : pred_nat
+
−\tdx{pred_natE}
+
−    [| p : pred_nat;  !!x n. [| p = <n, Suc(n)> |] ==> R |] ==> R
+
−
+
−\tdx{nat_case_0}     nat_case(a, f, 0) = a
+
−\tdx{nat_case_Suc}   nat_case(a, f, Suc(k)) = f(k)
+
−
+
−\tdx{wf_pred_nat}    wf(pred_nat)
+
−\tdx{nat_rec_0}      nat_rec(0,c,h) = c
+
−\tdx{nat_rec_Suc}    nat_rec(Suc(n), c, h) = h(n, nat_rec(n,c,h))
+
−\subcaption{Case analysis and primitive recursion}
+
−
+
−\tdx{less_trans}     [| i<j;  j<k |] ==> i<k
+
−\tdx{lessI}          n < Suc(n)
+
−\tdx{zero_less_Suc}  0 < Suc(n)
+
−
+
−\tdx{less_not_sym}   n<m --> ~ m<n 
+
−\tdx{less_not_refl}  ~ n<n
+
−\tdx{not_less0}      ~ n<0
+
−
+
−\tdx{Suc_less_eq}    (Suc(m) < Suc(n)) = (m<n)
+
−\tdx{less_induct}    [| !!n. [| ! m. m<n --> P(m) |] ==> P(n) |]  ==>  P(n)
+
−
+
−\tdx{less_linear}    m<n | m=n | n<m
+
−\subcaption{The less-than relation}
+
−\end{ttbox}
+
−\caption{Derived rules for {\tt nat}} \label{hol-nat2}
+
−\end{figure}
+
−
+
−
+
−\subsection{The type of natural numbers, {\tt nat}}
+
−The theory \thydx{Nat} defines the natural numbers in a roundabout but
+
−traditional way.  The axiom of infinity postulates an type~\tydx{ind} of
+
−individuals, which is non-empty and closed under an injective operation.
+
−The natural numbers are inductively generated by choosing an arbitrary
+
−individual for~0 and using the injective operation to take successors.  As
+
−usual, the isomorphisms between~\tydx{nat} and its representation are made
+
−explicitly.
+
−
+
−The definition makes use of a least fixed point operator \cdx{lfp},
+
−defined using the Knaster-Tarski theorem.  This is used to define the
+
−operator \cdx{trancl}, for taking the transitive closure of a relation.
+
−Primitive recursion makes use of \cdx{wfrec}, an operator for recursion
+
−along arbitrary well-founded relations.  The corresponding theories are
+
−called {\tt Lfp}, {\tt Trancl} and {\tt WF}\@.  Elsewhere I have described
+
−similar constructions in the context of set theory~\cite{paulson-set-II}.
+
−
+
−Type~\tydx{nat} is postulated to belong to class~\cldx{ord}, which overloads
+
−$<$ and $\leq$ on the natural numbers.  As of this writing, Isabelle provides
+
−no means of verifying that such overloading is sensible; there is no means of
+
−specifying the operators' properties and verifying that instances of the
+
−operators satisfy those properties.  To be safe, the HOL theory includes no
+
−polymorphic axioms asserting general properties of $<$ and~$\leq$.
+
−
+
−Theory \thydx{Arith} develops arithmetic on the natural numbers.  It
+
−defines addition, multiplication, subtraction, division, and remainder.
+
−Many of their properties are proved: commutative, associative and
+
−distributive laws, identity and cancellation laws, etc.  The most
+
−interesting result is perhaps the theorem $a \bmod b + (a/b)\times b = a$.
+
−Division and remainder are defined by repeated subtraction, which requires
+
−well-founded rather than primitive recursion.  See Figs.\ts\ref{hol-nat1}
+
−and~\ref{hol-nat2}.
+
−
+
−The predecessor relation, \cdx{pred_nat}, is shown to be well-founded.
+
−Recursion along this relation resembles primitive recursion, but is
+
−stronger because we are in higher-order logic; using primitive recursion to
+
−define a higher-order function, we can easily Ackermann's function, which
+
−is not primitive recursive \cite[page~104]{thompson91}.
+
−The transitive closure of \cdx{pred_nat} is~$<$.  Many functions on the
+
−natural numbers are most easily expressed using recursion along~$<$.
+
−
+
−The tactic {\tt\ttindex{nat_ind_tac} "$n$" $i$} performs induction over the
+
−variable~$n$ in subgoal~$i$.
+
−
+
−\begin{figure}
+
−\index{#@{\tt\#} symbol}
+
−\index{"@@{\tt\at} symbol}
+
−\begin{constants}
+
−  \it symbol & \it meta-type & \it priority & \it description \\
+
−  \cdx{Nil}     & $\alpha list$ & & empty list\\
+
−  \tt \#   & $[\alpha,\alpha list]\To \alpha list$ & Right 65 & 
+
−        list constructor \\
+
−  \cdx{null}    & $\alpha list \To bool$ & & emptiness test\\
+
−  \cdx{hd}      & $\alpha list \To \alpha$ & & head \\
+
−  \cdx{tl}      & $\alpha list \To \alpha list$ & & tail \\
+
−  \cdx{ttl}     & $\alpha list \To \alpha list$ & & total tail \\
+
−  \tt\at  & $[\alpha list,\alpha list]\To \alpha list$ & Left 65 & append \\
+
−  \sdx{mem}  & $[\alpha,\alpha list]\To bool$    &  Left 55   & membership\\
+
−  \cdx{map}     & $(\alpha\To\beta) \To (\alpha list \To \beta list)$
+
−        & & mapping functional\\
+
−  \cdx{filter}  & $(\alpha \To bool) \To (\alpha list \To \alpha list)$
+
−        & & filter functional\\
+
−  \cdx{list_all}& $(\alpha \To bool) \To (\alpha list \To bool)$
+
−        & & forall functional\\
+
−  \cdx{list_rec}        & $[\alpha list, \beta, [\alpha ,\alpha list,
+
−\beta]\To\beta] \To \beta$
+
−        & & list recursor
+
−\end{constants}
+
−\subcaption{Constants and infixes}
+
−
+
−\begin{center} \tt\frenchspacing
+
−\begin{tabular}{rrr} 
+
−  \it external        & \it internal  & \it description \\{}
+
−  \sdx{[]}            & Nil           & \rm empty list \\{}
+
−  [$x@1$, $\dots$, $x@n$]  &  $x@1$ \# $\cdots$ \# $x@n$ \# [] &
+
−        \rm finite list \\{}
+
−  [$x$:$l$. $P$]  & filter($\lambda x{.}P$, $l$) & 
+
−        \rm list comprehension
+
−\end{tabular}
+
−\end{center}
+
−\subcaption{Translations}
+
−
+
−\begin{ttbox}
+
−\tdx{list_induct}    [| P([]);  !!x xs. [| P(xs) |] ==> P(x#xs)) |]  ==> P(l)
+
−
+
−\tdx{Cons_not_Nil}   (x # xs) ~= []
+
−\tdx{Cons_Cons_eq}   ((x # xs) = (y # ys)) = (x=y & xs=ys)
+
−\subcaption{Induction and freeness}
+
−\end{ttbox}
+
−\caption{The theory \thydx{List}} \label{hol-list}
+
−\end{figure}
+
−
+
−\begin{figure}
+
−\begin{ttbox}\makeatother
+
−\tdx{list_rec_Nil}    list_rec([],c,h) = c  
+
−\tdx{list_rec_Cons}   list_rec(a#l, c, h) = h(a, l, list_rec(l,c,h))
+
−
+
−\tdx{list_case_Nil}   list_case(c, h, []) = c 
+
−\tdx{list_case_Cons}  list_case(c, h, x#xs) = h(x, xs)
+
−
+
−\tdx{map_Nil}         map(f,[]) = []
+
−\tdx{map_Cons}        map(f, x \# xs) = f(x) \# map(f,xs)
+
−
+
−\tdx{null_Nil}        null([]) = True
+
−\tdx{null_Cons}       null(x#xs) = False
+
−
+
−\tdx{hd_Cons}         hd(x#xs) = x
+
−\tdx{tl_Cons}         tl(x#xs) = xs
+
−
+
−\tdx{ttl_Nil}         ttl([]) = []
+
−\tdx{ttl_Cons}        ttl(x#xs) = xs
+
−
+
−\tdx{append_Nil}      [] @ ys = ys
+
−\tdx{append_Cons}     (x#xs) \at ys = x # xs \at ys
+
−
+
−\tdx{mem_Nil}         x mem [] = False
+
−\tdx{mem_Cons}        x mem (y#ys) = if(y=x, True, x mem ys)
+
−
+
−\tdx{filter_Nil}      filter(P, []) = []
+
−\tdx{filter_Cons}     filter(P,x#xs) = if(P(x), x#filter(P,xs), filter(P,xs))
+
−
+
−\tdx{list_all_Nil}    list_all(P,[]) = True
+
−\tdx{list_all_Cons}   list_all(P, x#xs) = (P(x) & list_all(P, xs))
+
−\end{ttbox}
+
−\caption{Rewrite rules for lists} \label{hol-list-simps}
+
−\end{figure}
+
−
+
−
+
−\subsection{The type constructor for lists, {\tt list}}
+
−\index{*list type}
+
−
+
−HOL's definition of lists is an example of an experimental method for handling
+
−recursive data types.  Figure~\ref{hol-list} presents the theory \thydx{List}:
+
−the basic list operations with their types and properties.
+
−
+
−The \sdx{case} construct is defined by the following translation:
+
−{\dquotes
+
−\begin{eqnarray*}
+
−  \begin{array}{r@{\;}l@{}l}
+
−  "case " e " of" & "[]"    & " => " a\\
+
−              "|" & x"\#"xs & " => " b
+
−  \end{array} 
+
−  & \equiv &
+
−  "list_case"(a, \lambda x\;xs.b, e)
+
−\end{eqnarray*}}%
+
−The theory includes \cdx{list_rec}, a primitive recursion operator
+
−for lists.  It is derived from well-founded recursion, a general principle
+
−that can express arbitrary total recursive functions.
+
−
+
−The simpset \ttindex{list_ss} contains, along with additional useful lemmas,
+
−the basic rewrite rules that appear in Fig.\ts\ref{hol-list-simps}.
+
−
+
−The tactic {\tt\ttindex{list_ind_tac} "$xs$" $i$} performs induction over the
+
−variable~$xs$ in subgoal~$i$.
+
−
+
−
+
−\section{Datatype declarations}
+
−\index{*datatype|(}
+
−
+
−\underscoreon
+
−
+
−It is often necessary to extend a theory with \ML-like datatypes.  This
+
−extension consists of the new type, declarations of its constructors and
+
−rules that describe the new type. The theory definition section {\tt
+
−  datatype} represents a compact way of doing this.
+
−
+
−
+
−\subsection{Foundations}
+
−
+
−A datatype declaration has the following general structure:
+
−\[ \mbox{\tt datatype}~ (\alpha_1,\dots,\alpha_n)t ~=~
+
−      C_1(\tau_{11},\dots,\tau_{1k_1}) ~\mid~ \dots ~\mid~
+
−      C_m(\tau_{m1},\dots,\tau_{mk_m}) 
+
−\]
+
−where $\alpha_i$ are type variables, $C_i$ are distinct constructor names and
+
−$\tau_{ij}$ are one of the following:
+
−\begin{itemize}
+
−\item type variables $\alpha_1,\dots,\alpha_n$,
+
−\item types $(\beta_1,\dots,\beta_l)s$ where $s$ is a previously declared
+
−  type or type synonym and $\{\beta_1,\dots,\beta_l\} \subseteq
+
−  \{\alpha_1,\dots,\alpha_n\}$,
+
−\item the newly defined type $(\alpha_1,\dots,\alpha_n)t$ \footnote{This
+
−    makes it a recursive type. To ensure that the new type is not empty at
+
−    least one constructor must consist of only non-recursive type
+
−    components.}
+
−\end{itemize}
+
−If you would like one of the $\tau_{ij}$ to be a complex type expression
+
−$\tau$ you need to declare a new type synonym $syn = \tau$ first and use
+
−$syn$ in place of $\tau$. Of course this does not work if $\tau$ mentions the
+
−recursive type itself, thus ruling out problematic cases like \[ \mbox{\tt
+
−  datatype}~ t ~=~ C(t \To t) \] together with unproblematic ones like \[
+
−\mbox{\tt datatype}~ t ~=~ C(t~list). \]
+
−
+
−The constructors are automatically defined as functions of their respective
+
−type:
+
−\[ C_j : [\tau_{j1},\dots,\tau_{jk_j}] \To (\alpha_1,\dots,\alpha_n)t \]
+
−These functions have certain {\em freeness} properties:
+
−\begin{description}
+
−\item[\tt distinct] They are distinct:
+
−\[ C_i(x_1,\dots,x_{k_i}) \neq C_j(y_1,\dots,y_{k_j}) \qquad
+
−   \mbox{for all}~ i \neq j.
+
−\]
+
−\item[\tt inject] They are injective:
+
−\[ (C_j(x_1,\dots,x_{k_j}) = C_j(y_1,\dots,y_{k_j})) =
+
−   (x_1 = y_1 \land \dots \land x_{k_j} = y_{k_j})
+
−\]
+
−\end{description}
+
−Because the number of inequalities is quadratic in the number of
+
−constructors, a different method is used if their number exceeds
+
−a certain value, currently 4. In that case every constructor is mapped to a
+
−natural number
+
−\[
+
−\begin{array}{lcl}
+
−\mbox{\it t\_ord}(C_1(x_1,\dots,x_{k_1})) & = & 0 \\
+
−& \vdots & \\
+
−\mbox{\it t\_ord}(C_m(x_1,\dots,x_{k_m})) & = & m-1
+
−\end{array}
+
−\]
+
−and distinctness of constructors is expressed by:
+
−\[
+
−\mbox{\it t\_ord}(x) \neq \mbox{\it t\_ord}(y) \Imp x \neq y.
+
−\]
+
−In addition a structural induction axiom {\tt induct} is provided: 
+
−\[
+
−\infer{P(x)}
+
−{\begin{array}{lcl}
+
−\Forall x_1\dots x_{k_1}.
+
−  \List{P(x_{r_{11}}); \dots; P(x_{r_{1l_1}})} &
+
−  \Imp  & P(C_1(x_1,\dots,x_{k_1})) \\
+
− & \vdots & \\
+
−\Forall x_1\dots x_{k_m}.
+
−  \List{P(x_{r_{m1}}); \dots; P(x_{r_{ml_m}})} &
+
−  \Imp & P(C_m(x_1,\dots,x_{k_m}))
+
−\end{array}}
+
−\]
+
−where $\{r_{j1},\dots,r_{jl_j}\} = \{i \in \{1,\dots k_j\} ~\mid~ \tau_{ji}
+
−= (\alpha_1,\dots,\alpha_n)t \}$, i.e.\ the property $P$ can be assumed for
+
−all arguments of the recursive type.
+
−
+
−The type also comes with an \ML-like \sdx{case}-construct:
+
−\[
+
−\begin{array}{rrcl}
+
−\mbox{\tt case}~e~\mbox{\tt of} & C_1(x_{11},\dots,x_{1k_1}) & \To & e_1 \\
+
−                           \vdots \\
+
−                           \mid & C_m(x_{m1},\dots,x_{mk_m}) & \To & e_m
+
−\end{array}
+
−\]
+
−In contrast to \ML, {\em all} constructors must be present, their order is
+
−fixed, and nested patterns are not supported.
+
−
+
−
+
−\subsection{Defining datatypes}
+
−
+
−A datatype is defined in a theory definition file using the keyword {\tt
+
−  datatype}. The definition following {\tt datatype} must conform to the
+
−syntax of {\em typedecl} specified in Fig.~\ref{datatype-grammar} and must
+
−obey the rules in the previous section. As a result the theory is extended
+
−with the new type, the constructors, and the theorems listed in the previous
+
−section.
+
−
+
−\begin{figure}
+
−\begin{rail}
+
−typedecl : typevarlist id '=' (cons + '|')
+
−         ;
+
−cons     : (id | string) ( () | '(' (typ + ',') ')' ) ( () | mixfix )
+
−         ;
+
−typ      : typevarlist id
+
−           | tid
+
−         ;
+
−typevarlist : () | tid | '(' (tid + ',') ')'
+
−         ;
+
−\end{rail}
+
−\caption{Syntax of datatype declarations}
+
−\label{datatype-grammar}
+
−\end{figure}
+
−
+
−Reading the theory file produces a structure which, in addition to the usual
+
−components, contains a structure named $t$ for each datatype $t$ defined in
+
−the file.\footnote{Otherwise multiple datatypes in the same theory file would
+
−  lead to name clashes.} Each structure $t$ contains the following elements:
+
−\begin{ttbox}
+
−val distinct : thm list
+
−val inject : thm list
+
−val induct : thm
+
−val cases : thm list
+
−val simps : thm list
+
−val induct_tac : string -> int -> tactic
+
−\end{ttbox}
+
−{\tt distinct}, {\tt inject} and {\tt induct} contain the theorems described
+
−above. For convenience {\tt distinct} contains inequalities in both
+
−directions.
+
−\begin{warn}
+
−  If there are five or more constructors, the {\em t\_ord} scheme is used for
+
−  {\tt distinct}.  In this case the theory {\tt Arith} must be contained
+
−  in the current theory, if necessary by including it explicitly.
+
−\end{warn}
+
−The reduction rules of the {\tt case}-construct are in {\tt cases}.  All
+
−theorems from {\tt distinct}, {\tt inject} and {\tt cases} are combined in
+
−{\tt simps} for use with the simplifier. The tactic {\verb$induct_tac$~{\em
+
−    var i}\/} applies structural induction over variable {\em var} to
+
−subgoal {\em i}.
+
−
+
−
+
−\subsection{Examples}
+
−
+
−\subsubsection{The datatype $\alpha~list$}
+
−
+
−We want to define the type $\alpha~list$.\footnote{Of course there is a list
+
−  type in HOL already. This is only an example.} To do this we have to build
+
−a new theory that contains the type definition. We start from {\tt HOL}.
+
−\begin{ttbox}
+
−MyList = HOL +
+
−  datatype 'a list = Nil | Cons ('a, 'a list)
+
−end
+
−\end{ttbox}
+
−After loading the theory (\verb$use_thy "MyList"$), we can prove
+
−$Cons(x,xs)\neq xs$.  First we build a suitable simpset for the simplifier:
+
−\begin{ttbox}
+
−val mylist_ss = HOL_ss addsimps MyList.list.simps;
+
−goal MyList.thy "!x. Cons(x,xs) ~= xs";
+
−{\out Level 0}
+
−{\out ! x. Cons(x, xs) ~= xs}
+
−{\out  1. ! x. Cons(x, xs) ~= xs}
+
−\end{ttbox}
+
−This can be proved by the structural induction tactic:
+
−\begin{ttbox}
+
−by (MyList.list.induct_tac "xs" 1);
+
−{\out Level 1}
+
−{\out ! x. Cons(x, xs) ~= xs}
+
−{\out  1. ! x. Cons(x, Nil) ~= Nil}
+
−{\out  2. !!a list.}
+
−{\out        ! x. Cons(x, list) ~= list ==>}
+
−{\out        ! x. Cons(x, Cons(a, list)) ~= Cons(a, list)}
+
−\end{ttbox}
+
−The first subgoal can be proved with the simplifier and the distinctness
+
−axioms which are part of \verb$mylist_ss$.
+
−\begin{ttbox}
+
−by (simp_tac mylist_ss 1);
+
−{\out Level 2}
+
−{\out ! x. Cons(x, xs) ~= xs}
+
−{\out  1. !!a list.}
+
−{\out        ! x. Cons(x, list) ~= list ==>}
+
−{\out        ! x. Cons(x, Cons(a, list)) ~= Cons(a, list)}
+
−\end{ttbox}
+
−Using the freeness axioms we can quickly prove the remaining goal.
+
−\begin{ttbox}
+
−by (asm_simp_tac mylist_ss 1);
+
−{\out Level 3}
+
−{\out ! x. Cons(x, xs) ~= xs}
+
−{\out No subgoals!}
+
−\end{ttbox}
+
−Because both subgoals were proved by almost the same tactic we could have
+
−done that in one step using
+
−\begin{ttbox}
+
−by (ALLGOALS (asm_simp_tac mylist_ss));
+
−\end{ttbox}
+
−
+
−
+
−\subsubsection{The datatype $\alpha~list$ with mixfix syntax}
+
−
+
−In this example we define the type $\alpha~list$ again but this time we want
+
−to write {\tt []} instead of {\tt Nil} and we want to use the infix operator
+
−\verb|#| instead of {\tt Cons}. To do this we simply add mixfix annotations
+
−after the constructor declarations as follows:
+
−\begin{ttbox}
+
−MyList = HOL +
+
−  datatype 'a list = "[]" ("[]") 
+
−                   | "#" ('a, 'a list) (infixr 70)
+
−end
+
−\end{ttbox}
+
−Now the theorem in the previous example can be written \verb|x#xs ~= xs|. The
+
−proof is the same.
+
−
+
−
+
−\subsubsection{A datatype for weekdays}
+
−
+
−This example shows a datatype that consists of more than four constructors:
+
−\begin{ttbox}
+
−Days = Arith +
+
−  datatype days = Mo | Tu | We | Th | Fr | Sa | So
+
−end
+
−\end{ttbox}
+
−Because there are more than four constructors, the theory must be based on
+
−{\tt Arith}. Inequality is defined via a function \verb|days_ord|. Although
+
−the expression \verb|Mo ~= Tu| is not directly contained in {\tt distinct},
+
−it can be proved by the simplifier if \verb$arith_ss$ is used:
+
−\begin{ttbox}
+
−val days_ss = arith_ss addsimps Days.days.simps;
+
−
+
−goal Days.thy "Mo ~= Tu";
+
−by (simp_tac days_ss 1);
+
−\end{ttbox}
+
−Note that usually it is not necessary to derive these inequalities explicitly
+
−because the simplifier will dispose of them automatically.
+
−
+
−\subsection{Primitive recursive functions}
+
−\index{primitive recursion|(}
+
−\index{*primrec|(}
+
−
+
−Datatypes come with a uniform way of defining functions, {\bf primitive
+
−  recursion}. Although it is possible to define primitive recursive functions
+
−by asserting their reduction rules as new axioms, e.g.\
+
−\begin{ttbox}
+
−Append = MyList +
+
−consts app :: "['a list,'a list] => 'a list"
+
−rules 
+
−   app_Nil   "app([],ys) = ys"
+
−   app_Cons  "app(x#xs, ys) = x#app(xs,ys)"
+
−end
+
−\end{ttbox}
+
−this carries with it the danger of accidentally asserting an inconsistency,
+
−as in \verb$app([],ys) = us$. Therefore primitive recursive functions on
+
−datatypes can be defined with a special syntax:
+
−\begin{ttbox}
+
−Append = MyList +
+
−consts app :: "['a list,'a list] => 'a list"
+
−primrec app MyList.list
+
−   app_Nil   "app([],ys) = ys"
+
−   app_Cons  "app(x#xs, ys) = x#app(xs,ys)"
+
−end
+
−\end{ttbox}
+
−The system will now check that the two rules \verb$app_Nil$ and
+
−\verb$app_Cons$ do indeed form a primitive recursive definition, thus
+
−ensuring that consistency is maintained. For example
+
−\begin{ttbox}
+
−primrec app MyList.list
+
−    app_Nil   "app([],ys) = us"
+
−\end{ttbox}
+
−is rejected:
+
−\begin{ttbox}
+
−Extra variables on rhs
+
−\end{ttbox}
+
−\bigskip
+
−
+
−The general form of a primitive recursive definition is
+
−\begin{ttbox}
+
−primrec {\it function} {\it type}
+
−    {\it reduction rules}
+
−\end{ttbox}
+
−where
+
−\begin{itemize}
+
−\item {\it function} is the name of the function, either as an {\it id} or a
+
−  {\it string}. The function must already have been declared.
+
−\item {\it type} is the name of the datatype, either as an {\it id} or in the
+
−  long form {\it Thy.t}, where {\it Thy} is the name of the parent theory the
+
−  datatype was declared in, and $t$ the name of the datatype. The long form
+
−  is required if the {\tt datatype} and the {\tt primrec} sections are in
+
−  different theories.
+
−\item {\it reduction rules} specify one or more named equations of the form
+
−  {\it id\/}~{\it string}, where the identifier gives the name of the rule in
+
−  the result structure, and {\it string} is a reduction rule of the form \[
+
−  f(x_1,\dots,x_m,C(y_1,\dots,y_k),z_1,\dots,z_n) = r \] such that $C$ is a
+
−  constructor of the datatype, $r$ contains only the free variables on the
+
−  left-hand side, and all recursive calls in $r$ are of the form
+
−  $f(\dots,y_i,\dots)$ for some $i$. There must be exactly one reduction
+
−  rule for each constructor.
+
−\end{itemize}
+
−A theory file may contain any number of {\tt primrec} sections which may be
+
−intermixed with other declarations.
+
−
+
−For the consistency-sensitive user it may be reassuring to know that {\tt
+
−  primrec} does not assert the reduction rules as new axioms but derives them
+
−as theorems from an explicit definition of the recursive function in terms of
+
−a recursion operator on the datatype.
+
−
+
−The primitive recursive function can also use infix or mixfix syntax:
+
−\begin{ttbox}
+
−Append = MyList +
+
−consts "@"  :: "['a list,'a list] => 'a list"  (infixr 60)
+
−primrec "op @" MyList.list
+
−   app_Nil   "[] @ ys = ys"
+
−   app_Cons  "(x#xs) @ ys = x#(xs @ ys)"
+
−end
+
−\end{ttbox}
+
−
+
−The reduction rules become part of the ML structure \verb$Append$ and can
+
−be used to prove theorems about the function:
+
−\begin{ttbox}
+
−val append_ss = HOL_ss addsimps [Append.app_Nil,Append.app_Cons];
+
−
+
−goal Append.thy "(xs @ ys) @ zs = xs @ (ys @ zs)";
+
−by (MyList.list.induct_tac "xs" 1);
+
−by (ALLGOALS(asm_simp_tac append_ss));
+
−\end{ttbox}
+
−
+
−%Note that underdefined primitive recursive functions are allowed:
+
−%\begin{ttbox}
+
−%Tl = MyList +
+
−%consts tl  :: "'a list => 'a list"
+
−%primrec tl MyList.list
+
−%   tl_Cons "tl(x#xs) = xs"
+
−%end
+
−%\end{ttbox}
+
−%Nevertheless {\tt tl} is total, although we do not know what the result of
+
−%\verb$tl([])$ is.
+
−
+
−\index{primitive recursion|)}
+
−\index{*primrec|)}
+
−\index{*datatype|)}
+
−
+
−
+
−\section{Inductive and coinductive definitions}
+
−\index{*inductive|(}
+
−\index{*coinductive|(}
+
−
+
−An {\bf inductive definition} specifies the least set closed under given
+
−rules.  For example, a structural operational semantics is an inductive
+
−definition of an evaluation relation.  Dually, a {\bf coinductive
+
−  definition} specifies the greatest set consistent with given rules.  An
+
−important example is using bisimulation relations to formalize equivalence
+
−of processes and infinite data structures.
+
−
+
−A theory file may contain any number of inductive and coinductive
+
−definitions.  They may be intermixed with other declarations; in
+
−particular, the (co)inductive sets {\bf must} be declared separately as
+
−constants, and may have mixfix syntax or be subject to syntax translations.
+
−
+
−Each (co)inductive definition adds definitions to the theory and also
+
−proves some theorems.  Each definition creates an ML structure, which is a
+
−substructure of the main theory structure.
+
−
+
−This package is derived from the ZF one, described in a
+
−separate paper,\footnote{It appeared in CADE~\cite{paulson-CADE} and a
+
−  longer version is distributed with Isabelle.} which you should refer to
+
−in case of difficulties.  The package is simpler than ZF's, thanks to HOL's
+
−automatic type-checking.  The type of the (co)inductive determines the
+
−domain of the fixedpoint definition, and the package does not use inference
+
−rules for type-checking.
+
−
+
−
+
−\subsection{The result structure}
+
−Many of the result structure's components have been discussed in the paper;
+
−others are self-explanatory.
+
−\begin{description}
+
−\item[\tt thy] is the new theory containing the recursive sets.
+
−
+
−\item[\tt defs] is the list of definitions of the recursive sets.
+
−
+
−\item[\tt mono] is a monotonicity theorem for the fixedpoint operator.
+
−
+
−\item[\tt unfold] is a fixedpoint equation for the recursive set (the union of
+
−the recursive sets, in the case of mutual recursion).
+
−
+
−\item[\tt intrs] is the list of introduction rules, now proved as theorems, for
+
−the recursive sets.  The rules are also available individually, using the
+
−names given them in the theory file. 
+
−
+
−\item[\tt elim] is the elimination rule.
+
−
+
−\item[\tt mk\_cases] is a function to create simplified instances of {\tt
+
−elim}, using freeness reasoning on some underlying datatype.
+
−\end{description}
+
−
+
−For an inductive definition, the result structure contains two induction rules,
+
−{\tt induct} and \verb|mutual_induct|.  For a coinductive definition, it
+
−contains the rule \verb|coinduct|.
+
−
+
−Figure~\ref{def-result-fig} summarizes the two result signatures,
+
−specifying the types of all these components.
+
−
+
−\begin{figure}
+
−\begin{ttbox}
+
−sig
+
−val thy          : theory
+
−val defs         : thm list
+
−val mono         : thm
+
−val unfold       : thm
+
−val intrs        : thm list
+
−val elim         : thm
+
−val mk_cases     : thm list -> string -> thm
+
−{\it(Inductive definitions only)} 
+
−val induct       : thm
+
−val mutual_induct: thm
+
−{\it(Coinductive definitions only)}
+
−val coinduct    : thm
+
−end
+
−\end{ttbox}
+
−\hrule
+
−\caption{The result of a (co)inductive definition} \label{def-result-fig}
+
−\end{figure}
+
−
+
−\subsection{The syntax of a (co)inductive definition}
+
−An inductive definition has the form
+
−\begin{ttbox}
+
−inductive    {\it inductive sets}
+
−  intrs      {\it introduction rules}
+
−  monos      {\it monotonicity theorems}
+
−  con_defs   {\it constructor definitions}
+
−\end{ttbox}
+
−A coinductive definition is identical, except that it starts with the keyword
+
−{\tt coinductive}.  
+
−
+
−The {\tt monos} and {\tt con\_defs} sections are optional.  If present,
+
−each is specified as a string, which must be a valid ML expression of type
+
−{\tt thm list}.  It is simply inserted into the {\tt .thy.ML} file; if it
+
−is ill-formed, it will trigger ML error messages.  You can then inspect the
+
−file on your directory.
+
−
+
−\begin{itemize}
+
−\item The {\it inductive sets} are specified by one or more strings.
+
−
+
−\item The {\it introduction rules} specify one or more introduction rules in
+
−  the form {\it ident\/}~{\it string}, where the identifier gives the name of
+
−  the rule in the result structure.
+
−
+
−\item The {\it monotonicity theorems} are required for each operator
+
−  applied to a recursive set in the introduction rules.  There {\bf must}
+
−  be a theorem of the form $A\subseteq B\Imp M(A)\subseteq M(B)$, for each
+
−  premise $t\in M(R_i)$ in an introduction rule!
+
−
+
−\item The {\it constructor definitions} contain definitions of constants
+
−  appearing in the introduction rules.  In most cases it can be omitted.
+
−\end{itemize}
+
−
+
−The package has a few notable restrictions:
+
−\begin{itemize}
+
−\item The theory must separately declare the recursive sets as
+
−  constants.
+
−
+
−\item The names of the recursive sets must be identifiers, not infix
+
−operators.  
+
−
+
−\item Side-conditions must not be conjunctions.  However, an introduction rule
+
−may contain any number of side-conditions.
+
−
+
−\item Side-conditions of the form $x=t$, where the variable~$x$ does not
+
−  occur in~$t$, will be substituted through the rule \verb|mutual_induct|.
+
−\end{itemize}
+
−
+
−
+
−\subsection{Example of an inductive definition}
+
−Two declarations, included in a theory file, define the finite powerset
+
−operator.  First we declare the constant~{\tt Fin}.  Then we declare it
+
−inductively, with two introduction rules:
+
−\begin{ttbox}
+
−consts Fin :: "'a set => 'a set set"
+
−inductive "Fin(A)"
+
−  intrs
+
−    emptyI  "{} : Fin(A)"
+
−    insertI "[| a: A;  b: Fin(A) |] ==> insert(a,b) : Fin(A)"
+
−\end{ttbox}
+
−The resulting theory structure contains a substructure, called~{\tt Fin}.
+
−It contains the {\tt Fin}$(A)$ introduction rules as the list {\tt Fin.intrs},
+
−and also individually as {\tt Fin.emptyI} and {\tt Fin.consI}.  The induction
+
−rule is {\tt Fin.induct}.
+
−
+
−For another example, here is a theory file defining the accessible part of a
+
−relation.  The main thing to note is the use of~{\tt Pow} in the sole
+
−introduction rule, and the corresponding mention of the rule
+
−\verb|Pow_mono| in the {\tt monos} list.  The paper discusses a ZF version
+
−of this example in more detail.
+
−\begin{ttbox}
+
−Acc = WF + 
+
−consts pred :: "['b, ('a * 'b)set] => 'a set"   (*Set of predecessors*)
+
−       acc  :: "('a * 'a)set => 'a set"         (*Accessible part*)
+
−defs   pred_def  "pred(x,r) == {y. <y,x>:r}"
+
−inductive "acc(r)"
+
−  intrs
+
−     pred "pred(a,r): Pow(acc(r)) ==> a: acc(r)"
+
−  monos   "[Pow_mono]"
+
−end
+
−\end{ttbox}
+
−The HOL distribution contains many other inductive definitions, such as the
+
−theory {\tt HOL/ex/PropLog.thy} and the directory {\tt HOL/IMP}.  The
+
−theory {\tt HOL/ex/LList.thy} contains coinductive definitions.
+
−
+
−\index{*coinductive|)} \index{*inductive|)} \underscoreoff
+
−
+
−
+
−\section{The examples directories}
+
−Directory {\tt HOL/Subst} contains Martin Coen's mechanisation of a theory of
+
−substitutions and unifiers.  It is based on Paulson's previous
+
−mechanisation in {\LCF}~\cite{paulson85} of Manna and Waldinger's
+
−theory~\cite{mw81}. 
+
−
+
−Directory {\tt HOL/IMP} contains a mechanised version of a semantic
+
−equivalence proof taken from Winskel~\cite{winskel93}.  It formalises the
+
−denotational and operational semantics of a simple while-language, then
+
−proves the two equivalent.  It contains several datatype and inductive
+
−definitions, and demonstrates their use.
+
−
+
−Directory {\tt HOL/ex} contains other examples and experimental proofs in HOL.
+
−Here is an overview of the more interesting files.
+
−\begin{itemize}
+
−\item File {\tt cla.ML} demonstrates the classical reasoner on over sixty
+
−  predicate calculus theorems, ranging from simple tautologies to
+
−  moderately difficult problems involving equality and quantifiers.
+
−
+
−\item File {\tt meson.ML} contains an experimental implementation of the {\sc
+
−    meson} proof procedure, inspired by Plaisted~\cite{plaisted90}.  It is
+
−  much more powerful than Isabelle's classical reasoner.  But it is less
+
−  useful in practice because it works only for pure logic; it does not
+
−  accept derived rules for the set theory primitives, for example.
+
−
+
−\item File {\tt mesontest.ML} contains test data for the {\sc meson} proof
+
−  procedure.  These are mostly taken from Pelletier \cite{pelletier86}.
+
−
+
−\item File {\tt set.ML} proves Cantor's Theorem, which is presented in
+
−  \S\ref{sec:hol-cantor} below, and the Schr\"oder-Bernstein Theorem.
+
−
+
−\item Theories {\tt InSort} and {\tt Qsort} prove correctness properties of
+
−  insertion sort and quick sort.
+
−
+
−\item The definition of lazy lists demonstrates methods for handling
+
−  infinite data structures and coinduction in higher-order
+
−  logic~\cite{paulson-coind}.  Theory \thydx{LList} defines an operator for
+
−  corecursion on lazy lists, which is used to define a few simple functions
+
−  such as map and append.  Corecursion cannot easily define operations such
+
−  as filter, which can compute indefinitely before yielding the next
+
−  element (if any!) of the lazy list.  A coinduction principle is defined
+
−  for proving equations on lazy lists.
+
−  
+
−\item Theory {\tt PropLog} proves the soundness and completeness of classical
+
−  propositional logic, given a truth table semantics.  The only connective is
+
−  $\imp$.  A Hilbert-style axiom system is specified, and its set of theorems
+
−  defined inductively.  A similar proof in ZF is described
+
−  elsewhere~\cite{paulson-set-II}.
+
−
+
−\item Theory {\tt Term} develops an experimental recursive type definition;
+
−  the recursion goes through the type constructor~\tydx{list}.
+
−
+
−\item Theory {\tt Simult} constructs mutually recursive sets of trees and
+
−  forests, including induction and recursion rules.
+
−
+
−\item Theory {\tt MT} contains Jacob Frost's formalization~\cite{frost93} of
+
−  Milner and Tofte's coinduction example~\cite{milner-coind}.  This
+
−  substantial proof concerns the soundness of a type system for a simple
+
−  functional language.  The semantics of recursion is given by a cyclic
+
−  environment, which makes a coinductive argument appropriate.
+
−\end{itemize}
+
−
+
−
+
−\goodbreak
+
−\section{Example: Cantor's Theorem}\label{sec:hol-cantor}
+
−Cantor's Theorem states that every set has more subsets than it has
+
−elements.  It has become a favourite example in higher-order logic since
+
−it is so easily expressed:
+
−\[  \forall f::[\alpha,\alpha]\To bool. \exists S::\alpha\To bool.
+
−    \forall x::\alpha. f(x) \not= S 
+
−\] 
+
−%
+
−Viewing types as sets, $\alpha\To bool$ represents the powerset
+
−of~$\alpha$.  This version states that for every function from $\alpha$ to
+
−its powerset, some subset is outside its range.  
+
−
+
−The Isabelle proof uses HOL's set theory, with the type $\alpha\,set$ and the
+
−operator \cdx{range}.  The set~$S$ is given as an unknown instead of a
+
−quantified variable so that we may inspect the subset found by the proof.
+
−\begin{ttbox}
+
−goal Set.thy "~ ?S : range(f :: 'a=>'a set)";
+
−{\out Level 0}
+
−{\out ~ ?S : range(f)}
+
−{\out  1. ~ ?S : range(f)}
+
−\end{ttbox}
+
−The first two steps are routine.  The rule \tdx{rangeE} replaces
+
−$\Var{S}\in {\tt range}(f)$ by $\Var{S}=f(x)$ for some~$x$.
+
−\begin{ttbox}
+
−by (resolve_tac [notI] 1);
+
−{\out Level 1}
+
−{\out ~ ?S : range(f)}
+
−{\out  1. ?S : range(f) ==> False}
+
−\ttbreak
+
−by (eresolve_tac [rangeE] 1);
+
−{\out Level 2}
+
−{\out ~ ?S : range(f)}
+
−{\out  1. !!x. ?S = f(x) ==> False}
+
−\end{ttbox}
+
−Next, we apply \tdx{equalityCE}, reasoning that since $\Var{S}=f(x)$,
+
−we have $\Var{c}\in \Var{S}$ if and only if $\Var{c}\in f(x)$ for
+
−any~$\Var{c}$.
+
−\begin{ttbox}
+
−by (eresolve_tac [equalityCE] 1);
+
−{\out Level 3}
+
−{\out ~ ?S : range(f)}
+
−{\out  1. !!x. [| ?c3(x) : ?S; ?c3(x) : f(x) |] ==> False}
+
−{\out  2. !!x. [| ~ ?c3(x) : ?S; ~ ?c3(x) : f(x) |] ==> False}
+
−\end{ttbox}
+
−Now we use a bit of creativity.  Suppose that~$\Var{S}$ has the form of a
+
−comprehension.  Then $\Var{c}\in\{x.\Var{P}(x)\}$ implies
+
−$\Var{P}(\Var{c})$.   Destruct-resolution using \tdx{CollectD}
+
−instantiates~$\Var{S}$ and creates the new assumption.
+
−\begin{ttbox}
+
−by (dresolve_tac [CollectD] 1);
+
−{\out Level 4}
+
−{\out ~ \{x. ?P7(x)\} : range(f)}
+
−{\out  1. !!x. [| ?c3(x) : f(x); ?P7(?c3(x)) |] ==> False}
+
−{\out  2. !!x. [| ~ ?c3(x) : \{x. ?P7(x)\}; ~ ?c3(x) : f(x) |] ==> False}
+
−\end{ttbox}
+
−Forcing a contradiction between the two assumptions of subgoal~1 completes
+
−the instantiation of~$S$.  It is now the set $\{x. x\not\in f(x)\}$, which
+
−is the standard diagonal construction.
+
−\begin{ttbox}
+
−by (contr_tac 1);
+
−{\out Level 5}
+
−{\out ~ \{x. ~ x : f(x)\} : range(f)}
+
−{\out  1. !!x. [| ~ x : \{x. ~ x : f(x)\}; ~ x : f(x) |] ==> False}
+
−\end{ttbox}
+
−The rest should be easy.  To apply \tdx{CollectI} to the negated
+
−assumption, we employ \ttindex{swap_res_tac}:
+
−\begin{ttbox}
+
−by (swap_res_tac [CollectI] 1);
+
−{\out Level 6}
+
−{\out ~ \{x. ~ x : f(x)\} : range(f)}
+
−{\out  1. !!x. [| ~ x : f(x); ~ False |] ==> ~ x : f(x)}
+
−\ttbreak
+
−by (assume_tac 1);
+
−{\out Level 7}
+
−{\out ~ \{x. ~ x : f(x)\} : range(f)}
+
−{\out No subgoals!}
+
−\end{ttbox}
+
−How much creativity is required?  As it happens, Isabelle can prove this
+
−theorem automatically.  The classical set \ttindex{set_cs} contains rules for
+
−most of the constructs of HOL's set theory.  We must augment it with
+
−\tdx{equalityCE} to break up set equalities, and then apply best-first search.
+
−Depth-first search would diverge, but best-first search successfully navigates
+
−through the large search space.  \index{search!best-first}
+
−\begin{ttbox}
+
−choplev 0;
+
−{\out Level 0}
+
−{\out ~ ?S : range(f)}
+
−{\out  1. ~ ?S : range(f)}
+
−\ttbreak
+
−by (best_tac (set_cs addSEs [equalityCE]) 1);
+
−{\out Level 1}
+
−{\out ~ \{x. ~ x : f(x)\} : range(f)}
+
−{\out No subgoals!}
+
−\end{ttbox}
+
−
+
−\index{higher-order logic|)}